Bug 1114779 (CVE-2018-4013)

Summary: VUL-0: CVE-2018-4013: live555: critical remote code execution vulnerability in the LIVE555 media streaming library
Product: [openSUSE] openSUSE Distribution Reporter: Deleted Name <deleted>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P3 - Medium CC: astieger, Mathias.Homann, meissner
Version: Leap 15.0   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Deleted Name 2018-11-05 22:54:33 UTC
I couldn't find a bug report for this, so I am sharing the info here as according to zypper openSUSE distributes live555-devel package:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4013

https://www.hackread.com/watch-out-for-this-vulnerability-in-vlc-mplayer/
Comment 1 Marcus Meissner 2018-11-06 08:10:51 UTC
Matthias, I assigned it to you as you did the last update.
Comment 2 Mathias Homann 2018-11-06 08:23:32 UTC
...are you sure you're not confusing me with someone else?
Comment 3 Marcus Meissner 2018-11-06 08:55:21 UTC
from top of live555 changes in factory ... 

-------------------------------------------------------------------
Wed Nov  1 12:27:27 UTC 2017 - Mathias.Homann@opensuse.org

- Update to 2017.10.28
2017.10.28:
- Fixed the handling of the LIVE555 Proxy Server's "-u <username> <password>" command-line option if


If you do not want to do it, do you know someone else ?
Comment 4 Mathias Homann 2018-11-06 09:36:43 UTC
nah, i can do it, i just have found the "official process" to prepare and build updates for official packages to be riddled with random rejections in random places for unexplained reasons.
Comment 5 Mathias Homann 2018-11-06 09:58:33 UTC
submitted an updated package to multimedia:libs/live555
Comment 6 Andreas Stieger 2019-01-15 11:07:32 UTC
Version bump: https://build.opensuse.org/request/show/666187

Will handle the maintenance update myself as the package has no designated community maintainer that can handle this.
Comment 7 Andreas Stieger 2019-01-15 13:01:13 UTC
Factory submission: https://build.opensuse.org/request/show/666197
Note that due to bug 1121995 this library is statically linked into vlc. That means that vlc requires a rebuild against the updated live555 for this fix to become effective.
Comment 8 Andreas Stieger 2019-01-15 13:06:52 UTC
Maintenance submission: https://build.opensuse.org/request/show/666215
Comment 9 Andreas Stieger 2019-01-15 16:12:38 UTC
vlc apparently uses the library for the RTSP client only. The vulnerability affects the server component. Rebuild of vlc will not be issued.
Comment 10 Andreas Stieger 2019-01-17 18:50:39 UTC
done
Comment 11 Swamp Workflow Management 2019-01-17 23:39:17 UTC
openSUSE-SU-2019:0058-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1114779,1121892
CVE References: CVE-2018-4013,CVE-2019-6256
Sources used:
openSUSE Leap 42.3 (src):    live555-2018.12.14-7.3.1
openSUSE Leap 15.0 (src):    live555-2018.12.14-lp150.2.3.1
openSUSE Backports SLE-15 (src):    live555-2018.12.14-bp150.3.3.1
Comment 12 Deleted Name 2019-03-04 13:41:35 UTC
> openSUSE-SU-2019:0058-1: An update that fixes two vulnerabilities is now available.
> [...]
> openSUSE Leap 15.0 (src):    live555-2018.12.14-lp150.2.3.1

Could someone please clarify what this means? On my system 'zypper se -s live555' shows version 2017.10.28-lp150.1.9