Bug#737534: vlc: unsafe use of libtar

[Raphael Geissert]

Package: vlc
Severity: important
Tags: security

Hi,

vlc uses libtar to unpack skins, however, its use on untrusted data
exposes it to CVE-2013-4420 (#731860).

Changing the behaviour of libtar appears to be problematic because
some applications have relied on the, lack of, path sanitation (cf.
https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html
and the follow-ups).
What appears to be the safe way to handle this issue is making sure
that libtar is not used on untrusted data without file path validation
- that would mean that vlc would have to check for every file that is
about to be extracted that none contains a ../, and something similar
for symlinks.

Alternatively, vlc could just use tar(1) to unpack the tarballs, or
drop support for skins or skins in tarballs.

What do you think?

This should probably be forwarded to upstream.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net