Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 370321 (CVE-2011-2194)

Summary: <media-video/vlc-1.1.10: heap corruption / integer overflow in XSPF playlist parser (CVE-2011-2194)
Product: Gentoo Security Reporter: Alexis Ballier <aballier>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Alexis Ballier gentoo-dev 2011-06-06 19:16:17 UTC
not sure how/if you want to track it but 1.1.10 changelog mentions:

Demuxer:
 * Fix heap corruption / integer overflow in XSPF playlist parser

relevant commit:

http://git.videolan.org/gitweb.cgi/vlc/vlc-1.1.git/?a=commit;h=74d34b63fdda947c4e92f19e43cac0c51aabc4d7


anyway, I think it couldnt hurt to stabilize 1.1.10 (and it fixes a regression introduced by ourselves in 1.1.9, fixed in 1.1.9-r1 and upwards); opinions ?
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-06-07 04:01:27 UTC
(In reply to comment #0)
> 
> anyway, I think it couldnt hurt to stabilize 1.1.10 (and it fixes a regression
> introduced by ourselves in 1.1.9, fixed in 1.1.9-r1 and upwards); opinions ?

Agreed, and thanks for the bug. 

Arches, please test and mark stable:
=media-video/vlc-1.1.10
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2011-06-07 10:28:21 UTC
amd64 done
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-08 08:43:47 UTC
x86 stable
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-06-08 10:12:32 UTC
ppc/ppc64 stable
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-06-08 15:27:39 UTC
amd64 ok
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2011-06-12 11:45:29 UTC
alpha/sparc stable
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-06-12 18:27:56 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-06-25 12:16:32 UTC
CVE-2011-2194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2194):
  Integer overflow in the XSPF playlist parser in VLC 0.8.5 through 1.1.9
  allows remote attackers to cause a denial of service (crash) and possibly
  execute arbitrary code via unspecified vectors that trigger a heap-based
  buffer overflow.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-11-05 22:08:53 UTC
This issue was resolved and addressed in
 GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml
by GLSA coordinator Sean Amoss (ackle).