From ${URL} : Executive Summary ----------------- VLC versions before 2.1.5 contain a vulnerability in the transcode module that may allow a corrupted stream to overflow buffers on the heap. With a non-malicious input, this could lead to heap corruption and a crash. However, under the right circumstances, a malicious attacker could potentially use this vulnerability to hijack program execution, and on some platforms, execute arbitrary code. Remediation ----------- Prior to being notified of this issue, the VLC team had already made changes to the 2.2 development branch [0][1][2] that corrects this issue by reinitilizing the filters when a format change is detected. However, the fixes had not yet been backported to the 2.1 maintenance branch. Once notified, the VLC team quickly resolved the issue by backporting the relevant patches to the maintenance branch [3][4][5]. They also added an additional check on both the development[6] and maintenance[7] branches for good measure. CVE-2014-6440 [8] was assigned to this issue. Timeline -------- 2014-04-18: VLC team notified of issue 2014-04-19: Fixed in VLC repository 2014-07-06: VLC 2.1.5 maintenance release A more detailed writeup can be found on my blog [9]. Please note, I am not subscribed to the list, so please CC me if you reply. Bill [0]: http://git.videolan.org/?p=vlc.git;a=commit;h=a3a150b91f09620dc0d81c22db591a20faf4b2a5 [1]: http://git.videolan.org/?p=vlc.git;a=commit;h=39a99d25872f64dacd470fda86ba2193a55cda52 [2]: http://git.videolan.org/?p=vlc.git;a=commit;h=26989ea2d98380eef28843ffa8ca490e8f9d6dae [3]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=28bd6670a26bf88c2523b7302e2c22f8ca210bb7 [4]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=feca6658b4b84b4bc8b7a08431e811813277d31b [5]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=e40a4a1a54be2b69e4e001451f0dd91f3857a976 [6]: http://git.videolan.org/?p=vlc.git;a=commit;h=a113b849e428b71813a569021bd10d6974f6621f [7]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=a5bee4c5cf0c8fca0d1ddaf570aeebc78e824b15 [8]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6440 [9]: http://billblough.net/blog/2015-03-04-cve-2014-6440-heap-overflow-in-vlc-transcode-module
Cleanup can be done as part of Bug #534532
New GLSA Request filed.
Vulnerable versions of VLC (i.e. VLC < 2.2.x) are no longer in the tree; I recommend that the security team closes this bug.
(In reply to Nick Andrade from comment #3) > Vulnerable versions of VLC (i.e. VLC < 2.2.x) are no longer in the tree; I > recommend that the security team closes this bug. Nick, thank you for the recommendation, but at this time we need to follow the Gentoo Vulnerability treatment policy. This bug is in GLSA status, meaning that the security team has to write and release a GLSA about this vulnerability.
This issue was resolved and addressed in GLSA 201603-08 at https://security.gentoo.org/glsa/201603-08 by GLSA coordinator Kristian Fiskerstrand (K_F).
