Summary: | media-video/vlc < 0.8.6i Integer overflow in WAV demuxer (CVE-2008-2430) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | media-video |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/30601/ | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-07-03 23:59:59 UTC
FYI: 0.9.0-test1 (_beta1 for us) isn't affected, but it is not really possible to stabilise it yet. Imho we should wait for 0.8.6i that should come with a couple of other bugfixes too. As I understood it, this is a Windows-only problem. I already saw the advisory some days ago (well, maybe it was only yesteday) and didnt file a bug for this reason. See http://securitytracker.com/alerts/2008/Jul/1020429.html -- it says Underlying OS: Windows (Any) Secunia ($URL) says: The vulnerability is confirmed in version 0.8.6h *on Windows*. No idea whether this really means that only Windows is affected, the wording is a bit ambiguous, imo. The Secunia advisory stated that it is confirmed with version 0.8.6h on Windows, but that does not mean that only Windows versions are affected (neither does it mean that 0.8.6g is unaffected). The code path that is changed by the patch is not specific to Windows, so I would assume this issue affects Linux. Any news on the new version? 0.8.6i is in the tree now. Videolan SA: http://www.videolan.org/security/sa0806.html Release notes: http://wiki.videolan.org/Changelog/0.8.6i Changes from current stable aslo contains: http://wiki.videolan.org/Changelog/0.8.6h Arches, please test and mark stable: =media-video/vlc-0.8.6i Target keywords : "alpha amd64 ppc sparc x86" sparc/x86 stable Stable on alpha. ppc stable amd64 stable GLSA request filed. GLSA 200807-13 |