Your message dated Wed, 23 Jan 2008 12:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#461544: fixed in vlc 0.8.6.c-4.1~lenny2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: vlc
Version: 0.8.6-svn20061012.debian-5etch1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.
CVE-2008-0296[0]:
| Heap-based buffer overflow in the libaccess_realrtsp plugin in
| VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow
| remote RTSP servers to cause a denial of service (application crash)
| or execute arbitrary code via a long string.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
I contacted upstream for a patch of this.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpHkDIsgTdVQ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.c-4.1~lenny2
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.c-4.1~lenny2_i386.deb
libvlc0_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6.c-4.1~lenny2_i386.deb
mozilla-plugin-vlc_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-4.1~lenny2_i386.deb
vlc-nox_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-alsa_0.8.6.c-4.1~lenny2_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-4.1~lenny2_all.deb
vlc-plugin-arts_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-esd_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-ggi_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-glide_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-sdl_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-svgalib_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-4.1~lenny2_i386.deb
vlc_0.8.6.c-4.1~lenny2.diff.gz
to pool/main/v/vlc/vlc_0.8.6.c-4.1~lenny2.diff.gz
vlc_0.8.6.c-4.1~lenny2.dsc
to pool/main/v/vlc/vlc_0.8.6.c-4.1~lenny2.dsc
vlc_0.8.6.c-4.1~lenny2_i386.deb
to pool/main/v/vlc/vlc_0.8.6.c-4.1~lenny2_i386.deb
wxvlc_0.8.6.c-4.1~lenny2_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.c-4.1~lenny2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 22 Jan 2008 07:38:58 +0100
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-glide
vlc-plugin-esd mozilla-plugin-vlc vlc libvlc0 vlc-plugin-arts vlc-nox
vlc-plugin-svgalib libvlc0-dev
Architecture: source all i386
Version: 0.8.6.c-4.1~lenny2
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 461544
Changes:
vlc (0.8.6.c-4.1~lenny2) testing-security; urgency=high
.
* Non-maintainer upload by security team.
* This update addresses the following security issues (Closes: #461544).
- CVE-2008-0295: Heap-based buffer overflow in real_sdpplin.c
which could lead to user-assisted arbitrary code execution
via crafted SDP data.
- CVE-2008-0296: Heap-based buffer overflow in libaccess_realrtsp plugin
which might lead to arbitrary code execution via a crafted RTSP server.
Files:
77abf62acf397464da7e6b7caf630610 2729 graphics optional
vlc_0.8.6.c-4.1~lenny2.dsc
9ad689ee746749c38f8897c4346ab5db 37626 graphics optional
vlc_0.8.6.c-4.1~lenny2.diff.gz
2274f4a142781d73e4e9cdf87c36e6fc 804 graphics optional
vlc-plugin-alsa_0.8.6.c-4.1~lenny2_all.deb
64be32a764536595461832f554f7e57f 798 graphics optional
wxvlc_0.8.6.c-4.1~lenny2_all.deb
5e4890a2a64fc3374bf4c855e81519c6 1143294 graphics optional
vlc_0.8.6.c-4.1~lenny2_i386.deb
d70f5a7a49e11d12e7fbdd0ad909554f 4707590 net optional
vlc-nox_0.8.6.c-4.1~lenny2_i386.deb
89ec86aa15df5a10aa73077e55e7fa3d 466542 libs optional
libvlc0_0.8.6.c-4.1~lenny2_i386.deb
94e03a1c80de4d284241f0c058be8878 511470 libdevel optional
libvlc0-dev_0.8.6.c-4.1~lenny2_i386.deb
52b5a7f11937d5aca9205ad8bcbe67f9 4824 graphics optional
vlc-plugin-esd_0.8.6.c-4.1~lenny2_i386.deb
0ab8054ca2fea60b096736e42b6d78ae 10888 graphics optional
vlc-plugin-sdl_0.8.6.c-4.1~lenny2_i386.deb
a8370785e1478d7cd84cf049aa9723c9 5936 graphics optional
vlc-plugin-ggi_0.8.6.c-4.1~lenny2_i386.deb
47b1cb193012a799a62bd617b28c781a 4200 graphics optional
vlc-plugin-glide_0.8.6.c-4.1~lenny2_i386.deb
55a3b190ce62d88fce5140336e66bd18 4080 graphics optional
vlc-plugin-arts_0.8.6.c-4.1~lenny2_i386.deb
7ec8550c50ba6dde5cf61dc31e286995 37786 graphics optional
mozilla-plugin-vlc_0.8.6.c-4.1~lenny2_i386.deb
0eb0c4e2ffd5a0094b8307e2cf7b0baf 4540 graphics optional
vlc-plugin-svgalib_0.8.6.c-4.1~lenny2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHlfd3HYflSXNkfP8RApdMAJ4za4PSffs2qBSABlIH12DL2Ain5gCeIoMo
F8XuOvYGjxjfb1hNpkRq7YA=
=Ytpp
-----END PGP SIGNATURE-----
--- End Message ---
