[vlc-devel] Debian/Ubuntu VLC
Reinhard Tartler
siretart at tauware.de
Tue Jul 13 16:14:52 CEST 2010
On Tue, Jul 13, 2010 at 10:01:13 (EDT), Rémi Denis-Courmont wrote:
>> Ping maintainers and debian security team. Indicate the security
>> issue, the patch and or new tarball.
>
> It's not like it's not known:
> http://security-tracker.debian.org/tracker/status/release/stable
it lists 4 CVEs: CVE-2010-1441 - 1445, all of them only affecting the
0.8 series and without any details. So this piece of information is
pretty useless for identifying missing changes in 0.8.x. A tad more
insightful is http://www.videolan.org/security/sa1003.html, which at
least mentions:
- Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders
- Invalid memory access in AVI, ASF, Matroska (MKV) demuxers
- Invalid memory access in XSPF playlist parser
- Invalid memory access in ZIP archive decompressor
- Heap buffer overflow in RTMP access
I guess each of them match to the respective CVE number.
BTW, this is only half the story you mentioned in the beginning
of this thread.
> It's more like nobody cares.
I dont't think that's accurate. I'd rather guess that there is no one
in the distro camp that knows how to match these 5 issues to patches
that fix them.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
More information about the vlc-devel
mailing list