Summary: | <media-video/vlc-1.1.10: heap corruption / integer overflow in XSPF playlist parser (CVE-2011-2194) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexis Ballier <aballier> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexanderyt, media-video |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alexis Ballier
![]() (In reply to comment #0) > > anyway, I think it couldnt hurt to stabilize 1.1.10 (and it fixes a regression > introduced by ourselves in 1.1.9, fixed in 1.1.9-r1 and upwards); opinions ? Agreed, and thanks for the bug. Arches, please test and mark stable: =media-video/vlc-1.1.10 Target keywords : "alpha amd64 ppc ppc64 sparc x86" amd64 done x86 stable ppc/ppc64 stable amd64 ok alpha/sparc stable Thanks, everyone. Added to existing GLSA request. CVE-2011-2194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2194): Integer overflow in the XSPF playlist parser in VLC 0.8.5 through 1.1.9 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors that trigger a heap-based buffer overflow. This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle). |