Source: vlc Version: 2.1.5-1 Severity: grave Tags: security Justification: user security hole
Hi, multiple vulnerabilities were reported against vlc 2.1.5. The complete mail is at http://seclists.org/oss-sec/2015/q1/187 but at least the following vulnerabilities are fixed in vlc master branch: * Buffer overflow in updater: https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14 * Buffer overflow in mp4 demuxer: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 * Potential buffer overflow in Schroedinger Encoder https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 * Invalid memory access in rtp code: https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97 * Null-pointer dereference in dmo codec: https://github.com/videolan/vlc/commit/229c385a79d48e41687fae8b4dfeaeef9c8c3eb7 And there are unfixed ones: * The potential buffer overflow in the Dirac Encoder was not fixed as the Dirac encoder no longer exists in the master branch. * The potential invalid writes in modules/services_discovery/sap.c and modules/access/ftp.c were not fixed as I did not provide a trigger. Note, that the code looks very similar to the confirmed bug in rtp_packetize_xiph_config, and so I leave it to you to decide whether you want to patch this. CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so a DSA might be needed. Regards, -- Yves-Alexis -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
