[vlc-devel] Debian/Ubuntu VLC

Reinhard Tartler siretart at tauware.de
Tue Jul 13 16:14:52 CEST 2010


On Tue, Jul 13, 2010 at 10:01:13 (EDT), Rémi Denis-Courmont wrote:

>> Ping maintainers and debian security team. Indicate the security
>> issue, the patch and or new tarball.
>
> It's not like it's not known:
> http://security-tracker.debian.org/tracker/status/release/stable

it lists 4 CVEs: CVE-2010-1441 - 1445, all of them only affecting the
0.8 series and without any details.  So this piece of information is
pretty useless for identifying missing changes in 0.8.x. A tad more
insightful is http://www.videolan.org/security/sa1003.html, which at
least mentions:

 - Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders
 - Invalid memory access in AVI, ASF, Matroska (MKV) demuxers
 - Invalid memory access in XSPF playlist parser
 - Invalid memory access in ZIP archive decompressor
 - Heap buffer overflow in RTMP access

I guess each of them match to the respective CVE number.

BTW, this is only half the story you mentioned in the beginning
of this thread.

> It's more like nobody cares.

I dont't think that's accurate. I'd rather guess that there is no one
in the distro camp that knows how to match these 5 issues to patches
that fix them.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4



More information about the vlc-devel mailing list