Summary: | media-video/vlc <0.8.6f Multiple Vulnerabilities (CVE-2008-{1489,1768,1769}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | aballier |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-03-25 01:22:27 UTC
I'm opening this bug restricted. Since the patches are public, i'm rating it SEMI-PUBLIC. I enquired with Drew Yao about the publicity status. IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a big bump. Alexis, what do you think? (In reply to comment #1) > I'm opening this bug restricted. Since the patches are public, i'm rating it > SEMI-PUBLIC. I enquired with Drew Yao about the publicity status. hmm damn; I had completely forgot about the mp4's ones for -r1. The other ones have been pushed only very recently. > IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a > big bump. Alexis, what do you think? What I would prefer is waiting for 0.8.6f to be sure we do not forget anything, but as we have the patches, just ping me when you think its time. (In reply to comment #0) > * Integer overflow in Cinepak codec > http://trac.videolan.org/vlc/changeset/18eb4fd5a75b6429d1d7058a8967696be701a00b if we choose to patch we mustn't forget: cinepak: do not access arrays beyond allocated size 0.8.6-bugfix http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=cf489d7bff3c1b36b2d5501ecf21129c78104d98 I heard the release should come out within a week, so we could wait. Public, as agreed by both Drew and VLC upstream. 0.8.6f is out, I wonder how many of these changes were actually merged (judging from the changelog, not all) and what the xine bug 214270 status is. (In reply to comment #6) > 0.8.6f is out, I wonder how many of these changes were actually merged bumped; all the fixes should be there: Changes between 0.8.6e and 0.8.6f: ---------------------------------- Security updates: * Really fixed subtitle buffer overflow (CVE-2007-6681) * Fixed Real RTSP code execution problem (CVE-2008-0073) * Fixed MP4 integer overflows (CVE-2008-1489) * Fixed cinepak integer overflow Various bugfixes: * The Mozilla plugin registers a usable range of MIME-types on Mac OS X * Improved VLC's video output behavior on multi-screen setups running Mac OS X * Fixed crashes in H264 packetizer * Close MMS access on network timeout * Fix some problems with AAC decoder & packetizer Arches, please test and mark stable: =media-video/vlc-0.8.6f Target keywords : "alpha amd64 ppc release sparc x86" Stable on alpha. amd64/x86 stable sparc stable ppc stable Fixed in release snapshot. CVE-2008-1768 covers the last four links of the initial posting (all integer overflows except for CVE-2008-1489). CVE-2008-1769 covers the issue from comment 3. GLSA 200804-25 |