From $URL: VLC media player suffers from a NULL dereference vulnerability in the HTTP and RTSP server component. Impact If successful, a malicious third party could crash the server process. Arbitrary code execution within the context of VLC media player is not believed possible. Threat mitigation Exploitation of those bugs requires the user to explicitly start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions. Workarounds Where possible, limit access to the VLC server to trusted IP addresses. Alternatively, configure a deep inspection firewall to block malformed HTTP and RTSP requests. Solution VLC media player 1.1.12 addresses this issue. A source code patch is also available as an alternative.
@maintainer: it looks like we have vlc-1.1.12 ebuild as ~arch. Is it ready to be tested for stable?
(In reply to comment #1) > @maintainer: it looks like we have vlc-1.1.12 ebuild as ~arch. Is it ready to > be tested for stable? yes
Arches, please test and mark stable: =media-video/vlc-1.1.12 Target KEYWORDS : "alpha amd64 ppc ppc64 sparc x86"
CVE-2011-1087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1087): Buffer overflow in VideoLAN VLC media player 1.0.5 allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .mp3 file that is played during bookmark creation. CVE-2010-3124 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3124): Untrusted search path vulnerability in bin/winvlc.c in VLC Media Player 1.1.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll that is located in the same folder as a .mp3 file.
amd64: pass NB: .la file present, I don't know if those should be fixed or not.
(In reply to comment #5) > amd64: pass > > NB: .la file present, I don't know if those should be fixed or not. Fixed in 9999 version atm
x86 stable
amd64 done. Thanks Elijah and Agostino
ppc/ppc64 stable
alpha/sparc stable
Thanks folks. Added glsa request vote.
Thanks, everyone. We'll send this with the existing VLC bugs.
This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle).
