From oss-security: "When opening a malformed MKV (WebM or Matroska) file in VLC, it is possible to corrupt memory and execute arbitrary code. Proof-of-concept exploit code is available and may be made public soon." http://www.videolan.org/security/sa1102.html http://git.videolan.org/?p=vlc.git;a=commit;h=59491dcedffbf97612d2c572943b56ee4289dd07 Upstream release 1.1.7 not yet available.
bumped to 1.1.7
(In reply to comment #1) > bumped to 1.1.7 > Great, thank you. Arches, please test and mark stable: =media-video/vlc-1.1.7 Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Adding, STABLEREQ; apologies for the bugspam.
amd64 ok
amd64 done. Thanks Agostino
ppc/ppc64 stable
Looks good to go on x86 also. I've encountered two things, but they're no regressions... USE="aalib -X" make[5]: Entering directory `/var/tmp/portage/media-video/vlc-1.1.7/work/vlc-1.1.7/modules/video_output' CC libaa_plugin_la-keythread.lo CC libaa_plugin_la-aa.lo CC libggi_plugin_la-ggi.lo aa.c:42:4: error: #error Xlib required due to XInitThreads CC libsvgalib_plugin_la-svgalib.lo make[5]: *** [libaa_plugin_la-aa.lo] Error 1 ------------ USE="sdl -X" CC libfb_plugin_la-fb.lo CC libggi_plugin_la-ggi.lo CC libvout_sdl_plugin_la-sdl.lo sdl.c:46:4: error: #error Xlib required due to XInitThreads make[5]: *** [libvout_sdl_plugin_la-sdl.lo] Error 1
stable x86, thanks Andreas
Stable on alpha.
sparc stable
Thanks folks. Added to existing GLSA request.
CVE-2011-0531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0531): demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle).
