Summary: | <media-video/vlc-2.1.5: Multiple vulnerabilities (CVE-2014-{9597,9598,9625,9626,9627,9628,9629,9630},CVE-2015-{1202,1203}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video, proxy-maint, SDNick484 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2015/q1/187 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=539840 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2015-01-20 17:30:06 UTC
We should mark 2.2.0 stable. Comments? Too soon. Nick on;y started on this 3 days ago. vlc was a neglected mess. I still can't get it to build on my system which is why I have had to tread very carefully and bring in extra support for Nick. This could help.: https://bugs.gentoo.org/show_bug.cgi?id=548546 Changes between 2.1.5 and 2.1.6: -------------------------------- Audio output: * Fix OSS stuttering Security: * Fix heap overflow in decomp stream filter * Fix buffer overflow in updater * Fix potential buffer overflow in schroedinger encoder * Fix null-pointer dereference in DMO decoder * Fix buffer overflow in parsing of string boxes in mp4 demuxer * Fix SRTP integer overflow * Fix potential crash in zip access * Fix read overflow in Ogg demuxer This confuses the issue all the more. Here we're talking about making 2.2.1 stable and purging the 2.1.x series and you add in a 2.1.6 to the mix. We need to know why the 2.1.x series should be kept at all. 2.1.x series has been dropped for some time now. Added to existing GLSA. This issue was resolved and addressed in GLSA 201603-08 at https://security.gentoo.org/glsa/201603-08 by GLSA coordinator Kristian Fiskerstrand (K_F). |