From https://bugzilla.redhat.com/show_bug.cgi?id=1303861: The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string, which triggers an invalid memory access. External references: http://www.scip.ch/en/?vuldb.80728 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8790 Upstream fix: https://github.com/Matroska-Org/libebml/commit/ababb64e0c792ad2a314245233db0833ba12036b From https://bugzilla.redhat.com/show_bug.cgi?id=1303853: The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id, which triggers an invalid memory access. External references: http://www.scip.ch/en/?vuldb.80729 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8791 Upstream fix: https://github.com/Matroska-Org/libebml/commit/24e5cd7c666b1ddd85619d60486db0a5481c1b90
@maintainers, please cleanup the vulnerable versions or let us know if you need additional time.
media-video/vlc-2.2.1-r1 (matroska ? >=dev-libs/libebml-1:0) media-video/vlc-2.2.4 (matroska ? >=dev-libs/libebml-1:0) media-video/vlc-2.2.9999 (matroska ? >=dev-libs/libebml-1:0) media-video/vlc-9999 (matroska ? >=dev-libs/libebml-1:0) @maintainer(s), can VLC be bumped to rely on 1.3.x? There are no indications that the 1.2.x branch is vulnerable, but VLC is the only rdep at this time. Please let us know how you would like to proceed.
GLSA Vote: No Waiting for cleanup in bug 564424.
Tree is clean. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f87d7ca8e04832e2b50a9b140ccd6812e7c45a8