Bug 1114779 - (CVE-2018-4013) VUL-0: CVE-2018-4013: live555: critical remote code execution vulnerability in the LIVE555 media streaming library
(CVE-2018-4013)
VUL-0: CVE-2018-4013: live555: critical remote code execution vulnerability i...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
x86-64 Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-05 22:54 UTC by Deleted Name
Modified: 2019-03-04 13:41 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Deleted Name 2018-11-05 22:54:33 UTC
I couldn't find a bug report for this, so I am sharing the info here as according to zypper openSUSE distributes live555-devel package:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4013

https://www.hackread.com/watch-out-for-this-vulnerability-in-vlc-mplayer/
Comment 1 Marcus Meissner 2018-11-06 08:10:51 UTC
Matthias, I assigned it to you as you did the last update.
Comment 2 Mathias Homann 2018-11-06 08:23:32 UTC
...are you sure you're not confusing me with someone else?
Comment 3 Marcus Meissner 2018-11-06 08:55:21 UTC
from top of live555 changes in factory ... 

-------------------------------------------------------------------
Wed Nov  1 12:27:27 UTC 2017 - Mathias.Homann@opensuse.org

- Update to 2017.10.28
2017.10.28:
- Fixed the handling of the LIVE555 Proxy Server's "-u <username> <password>" command-line option if


If you do not want to do it, do you know someone else ?
Comment 4 Mathias Homann 2018-11-06 09:36:43 UTC
nah, i can do it, i just have found the "official process" to prepare and build updates for official packages to be riddled with random rejections in random places for unexplained reasons.
Comment 5 Mathias Homann 2018-11-06 09:58:33 UTC
submitted an updated package to multimedia:libs/live555
Comment 6 Andreas Stieger 2019-01-15 11:07:32 UTC
Version bump: https://build.opensuse.org/request/show/666187

Will handle the maintenance update myself as the package has no designated community maintainer that can handle this.
Comment 7 Andreas Stieger 2019-01-15 13:01:13 UTC
Factory submission: https://build.opensuse.org/request/show/666197
Note that due to bug 1121995 this library is statically linked into vlc. That means that vlc requires a rebuild against the updated live555 for this fix to become effective.
Comment 8 Andreas Stieger 2019-01-15 13:06:52 UTC
Maintenance submission: https://build.opensuse.org/request/show/666215
Comment 9 Andreas Stieger 2019-01-15 16:12:38 UTC
vlc apparently uses the library for the RTSP client only. The vulnerability affects the server component. Rebuild of vlc will not be issued.
Comment 10 Andreas Stieger 2019-01-17 18:50:39 UTC
done
Comment 11 Swamp Workflow Management 2019-01-17 23:39:17 UTC
openSUSE-SU-2019:0058-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1114779,1121892
CVE References: CVE-2018-4013,CVE-2019-6256
Sources used:
openSUSE Leap 42.3 (src):    live555-2018.12.14-7.3.1
openSUSE Leap 15.0 (src):    live555-2018.12.14-lp150.2.3.1
openSUSE Backports SLE-15 (src):    live555-2018.12.14-bp150.3.3.1
Comment 12 Deleted Name 2019-03-04 13:41:35 UTC
> openSUSE-SU-2019:0058-1: An update that fixes two vulnerabilities is now available.
> [...]
> openSUSE Leap 15.0 (src):    live555-2018.12.14-lp150.2.3.1

Could someone please clarify what this means? On my system 'zypper se -s live555' shows version 2017.10.28-lp150.1.9