CVE-2012-2396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2396): VideoLAN VLC media player 2.0.1 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted MP4 file.
Please confirm that this is fixed in subsequent versions of media-video/vlc. There is nothing in change log about this, and no clear information as to what version this was fixed in. Other distress have this in version 2.0.2.
If I'm not mistaken this issue was fixed in taglib 1.7.2 c.f. http://mail.kde.org/pipermail/taglib-devel/2012-April/002244.html . Since this is listed for VLC, does it use any code form this library inline, or does it solely rely on it as a shared library?
Fixed in 2.0.2 as per: http://www.videolan.org/developers/vlc/NEWS 2.0.2 no longer in tree, setting to GLSA so that GLSA can be released.
This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle).
