Summary: | media-video/vlc < 0.9.5: TiVo demuxer buffer overflow (CVE-2008-4654,CVE-2008-4686) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | impulze, media-video |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://mailman.videolan.org/pipermail/vlc/2008-August/015827.html | ||
Whiteboard: | ~2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Christian Hoffmann (RETIRED)
2008-10-19 10:17:04 UTC
http://www.videolan.org/security/sa0809.html maybe better than "unknown security issues" :) Code paths in ty.c are different in VLC 0.8.6i, so it does not seem affected. This can also be handled here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4686 vlc 0.9.5 is in the tree; I had to drop alpha, ppc and ppc64 keywords due to the new dep: libv4l. I dunno if you want to handle rekeywording here. (In reply to comment #0) > [1] http://mailman.videolan.org/pipermail/vlc/2008-October/016125.html The tivo bug doesn't affect current stable it seems, and since this is open source I tend to consider "unknown security issues" as FUD. However, RĂ©mi is probably right there: there have been lots of bugfixes in 0.9 since 0.8.6, and if analysed correctly may probably lead to exploitable code. I don't have the courage to dig into two years of changes. As such, I'd like to have 0.9.5 stable asap, be it done for/by security or not. Maybe we could have a compromise: wait a couple of weeks just in case and then move it to stable? 0.9.x are just bugfixes releases of 0.9.0. All the issues we are currently aware of only affect ~arch ebuils (>0.9.0 <0.9.5) of VLC. Given the warning by upstream and you (Alexis), I agree we should push 0.9.5 to our stable users sooner than later. Let's get the ~arch keywords back now, and target a stabling on this bug in one week, Oct. 31. == Arches: alpha, ppc, ppc64 == Please readd your ~arch keywords to =media-video/vlc-0.9.5 ~ppc64 done Added ~ppc (In reply to comment #6) > Let's get the ~arch keywords back now, and target a stabling on this bug in one > week, Oct. 31. So it seems we'll need this for stabling a new ffmpeg... Stable date is due, stabling will be handled on bug 245774 after all issues are ironed out. Moving the blocker against bug 245285 to bug 245774... alpha's ~arch on >=0.9.5 is still needed for this but to be FIXED 09 Nov 2008; Tobias Klausmann <klausman@gentoo.org> vlc-0.9.6.ebuild: Stable on alpha, bug #245774 |