Summary: | <media-video/vlc-1.1.11 Parsing Vulnerabilities in RealMediaand AVI (CVE-2011-{2587,2588}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securelist.com/en/advisories/45066 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() Bad bug title - request would draw attention here? Every should update this! It is only a rename of the ebuild, followed by ebuild vlc-1.1.11.ebuild manifest *** Bug 375845 has been marked as a duplicate of this bug. *** @security 1.1.11 is in tree, there is a reason because we cannot proceed? Upstream advisories: http://www.videolan.org/security/sa1105.html http://www.videolan.org/security/sa1106.html Arches, please test and mark stable: =media-video/vlc-1.1.11 Target keywords : "alpha amd64 ppc ppc64 sparc x86" amd64 ok + 17 Aug 2011; Tony Vroon <chainsaw@gentoo.org> vlc-1.1.11.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in + security bug #375167. ppc/ppc64 stable @x86 Works for me with following USE. Not tried more combination, Just installed on my laptop and works. [ebuild R ] media-video/vlc-1.1.11 USE="alsa dbus mp3 mpeg ogg vorbis" x86 stable, thanks Agostino alpha/sparc stable Thanks all, adding glsa in whiteboard. Thanks, everyone. Added to existing GLSA request. CVE-2011-2588 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2588): Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file. CVE-2011-2587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2587): Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file. This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle). |