[vlc-devel] [PACKAGERS] libmodplug is teh suxxor
Rémi Denis-Courmont
remi at remlab.net
Sat May 7 16:36:00 CEST 2011
Hello,
As foretold by Nico Golde a month ago (
http://mailman.videolan.org/pipermail/vlc-devel/2011-April/079653.html ),
another security bug has been found in libmodplug:
http://www.exploit-db.com/exploits/17222/
Upstream has yet to provide a fix for this. And if I trust other code
reviewer, this may only be the beginning of a cat & mouse game.
In this situation, I can only recommend that VLC be compiled without modplug
support. This is normally achieved with the --disable-modplug command line
option to the configure script. If you do not compile VLC yourself, you can
alternatively erase the modplug plugin manually. Either way, VLC will not
anymore be able to play tracker files, as there are currently no alternative
VLC plugin for this functionality.
I would like to remind everyone that I generally do not write advisories for
bugs in underlying libraries. I consider this a responsibility of packagers,
not developers. Besides, I simply wouldn't have time to take care of such a
large overall source code asset as the VLC "contribs".
Best regards,
--
Rémi Denis-Courmont
http://www.remlab.info/
http://fi.linkedin.com/in/remidenis
More information about the vlc-devel
mailing list