Summary: | <media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers (CVE-2011-3623) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video, nirbheek, toralf |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/36762/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 276278, 284776, 287423 | ||
Bug Blocks: | 280393, 284781 |
Description
Alex Legler (RETIRED)
2009-09-17 23:15:33 UTC
all three will be fixed in 1.0.2 and these affect <1.0.2 1.0.2 is in the tree, and you have: http://www.videolan.org/security/sa0901.html *** Bug 284780 has been marked as a duplicate of this bug. *** go with 1.0.2 stable; arm still needs to rekeyword. now you latest ~arch is vulnerable to this. x86 stable 20 Sep 2009; Markus Meier <maekke@gentoo.org> vlc-1.0.2.ebuild: add ~arm, bug #276278 amd64 stable This triggers a whole slew of necessary updates: '>=media-sound/pulseaudio-0.9.11', '>=media-libs/libdvbpsi-0.1.6', '>=media-libs/schroedinger-1.0.6', 'media-libs/libtiger' You sure about those? (In reply to comment #8) > This triggers a whole slew of necessary updates: > > '>=media-sound/pulseaudio-0.9.11', '>=media-libs/libdvbpsi-0.1.6', > '>=media-libs/schroedinger-1.0.6', 'media-libs/libtiger' > > You sure about those? > Yes, pulseaudio -> http://bugs.gentoo.org/284776 (alpha is CC'd) for others, follow the lead of amd64/x86 wrt keywords Stable on alpha. kate module compilation failed on ppc, bug 287423 I've been caught by bug 282390. Now, I need another ppc team member to confirm it's ppc-related... or stabilize vlc. Every dependencies are stable. Unfortunately, this bug has been confirmed by another ppc dev. sparc stable *** Bug 282089 has been marked as a duplicate of this bug. *** Actually, the ffmpeg bug isn't related to vlc in any way (vlc-1.0.2 doesn't need a newer ffmpeg) so vlc-1.0.2 is now stable for ppc. This was the last arch so, security team, you can fix the bug. GLSA request was added to pending vlc GLSA by a3li. <media-video/vlc-1.0.2 is no longer in tree. Can one of our new scouts check if there is a CVE for this and request one if there is none? CVE requested This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle). |