Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 424435 (CVE-2012-3377) - <media-video/vlc-2.0.3: Ogg Heap buffer overflow (CVE-2012-3377)
Summary: <media-video/vlc-2.0.3: Ogg Heap buffer overflow (CVE-2012-3377)
Status: RESOLVED FIXED
Alias: CVE-2012-3377
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-01 18:58 UTC by Alexis Ballier
Modified: 2014-11-05 22:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexis Ballier gentoo-dev 2012-07-01 18:58:05 UTC 
Not much more information besides vlc-2.0.2 NEWS file:
Security:
 * Fix Ogg Heap buffer overflow

and this commit:
http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=16e9e126333fb7acb47d363366fee3deadc8331e


2.0.2 should be safe to stabilise though.
Comment 1 Agostino Sarubbo gentoo-dev 2012-07-01 21:28:20 UTC 
ok to proceed with stabilization?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-07-19 00:05:35 UTC 
CVE-2012-3377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3377):
  Heap-based buffer overflow in the Ogg_DecodePacket function in the OGG
  demuxer (modules/demux/ogg.c) in VideoLAN VLC media player before 2.0.2
  allows remote attackers to cause a denial of service (application crash) and
  possibly execute arbitrary code via a crafted OGG file.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-24 10:33:03 UTC 
@video, would you like us to stabilize 2.0.2 or 2.0.3?
Comment 4 Ben de Groot (RETIRED) gentoo-dev 2012-09-24 11:18:43 UTC 
Stabilize media-video/vlc-2.0.3 please
Comment 5 Agostino Sarubbo gentoo-dev 2012-09-24 19:14:18 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-09-24 20:25:02 UTC 
x86 stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2012-10-05 14:24:47 UTC 
ppc done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-10-07 14:05:40 UTC 
alpha stable
Comment 9 Anthony Basile gentoo-dev 2012-10-11 07:39:34 UTC 
stable ppc64
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-11 13:06:39 UTC 
Thanks, everyone.

Already on existing GLSA draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-11-05 22:09:42 UTC 
This issue was resolved and addressed in
 GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml
by GLSA coordinator Sean Amoss (ackle).