Not much more information besides vlc-2.0.2 NEWS file: Security: * Fix Ogg Heap buffer overflow and this commit: http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=16e9e126333fb7acb47d363366fee3deadc8331e 2.0.2 should be safe to stabilise though.
ok to proceed with stabilization?
CVE-2012-3377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3377): Heap-based buffer overflow in the Ogg_DecodePacket function in the OGG demuxer (modules/demux/ogg.c) in VideoLAN VLC media player before 2.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted OGG file.
@video, would you like us to stabilize 2.0.2 or 2.0.3?
Stabilize media-video/vlc-2.0.3 please
amd64 stable
x86 stable
ppc done
alpha stable
stable ppc64
Thanks, everyone. Already on existing GLSA draft.
This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle).