Bugzilla – Bug 1114779
VUL-0: CVE-2018-4013: live555: critical remote code execution vulnerability in the LIVE555 media streaming library
Last modified: 2019-03-04 13:41:35 UTC
I couldn't find a bug report for this, so I am sharing the info here as according to zypper openSUSE distributes live555-devel package:
Matthias, I assigned it to you as you did the last update.
...are you sure you're not confusing me with someone else?
from top of live555 changes in factory ...
Wed Nov 1 12:27:27 UTC 2017 - Mathias.Homann@opensuse.org
- Update to 2017.10.28
- Fixed the handling of the LIVE555 Proxy Server's "-u <username> <password>" command-line option if
If you do not want to do it, do you know someone else ?
nah, i can do it, i just have found the "official process" to prepare and build updates for official packages to be riddled with random rejections in random places for unexplained reasons.
submitted an updated package to multimedia:libs/live555
Version bump: https://build.opensuse.org/request/show/666187
Will handle the maintenance update myself as the package has no designated community maintainer that can handle this.
Factory submission: https://build.opensuse.org/request/show/666197
Note that due to bug 1121995 this library is statically linked into vlc. That means that vlc requires a rebuild against the updated live555 for this fix to become effective.
Maintenance submission: https://build.opensuse.org/request/show/666215
vlc apparently uses the library for the RTSP client only. The vulnerability affects the server component. Rebuild of vlc will not be issued.
openSUSE-SU-2019:0058-1: An update that fixes two vulnerabilities is now available.
Category: security (moderate)
Bug References: 1114779,1121892
CVE References: CVE-2018-4013,CVE-2019-6256
openSUSE Leap 42.3 (src): live555-2018.12.14-7.3.1
openSUSE Leap 15.0 (src): live555-2018.12.14-lp126.96.36.199
openSUSE Backports SLE-15 (src): live555-2018.12.14-bp188.8.131.52
> openSUSE-SU-2019:0058-1: An update that fixes two vulnerabilities is now available.
> openSUSE Leap 15.0 (src): live555-2018.12.14-lp184.108.40.206
Could someone please clarify what this means? On my system 'zypper se -s live555' shows version 2017.10.28-lp150.1.9