[vlc-devel] [PACKAGERS] libmodplug is teh suxxor

Rémi Denis-Courmont remi at remlab.net
Sat May 7 16:36:00 CEST 2011


As foretold by Nico Golde a month ago ( 
http://mailman.videolan.org/pipermail/vlc-devel/2011-April/079653.html ), 
another security bug has been found in libmodplug:
Upstream has yet to provide a fix for this. And if I trust other code 
reviewer, this may only be the beginning of a cat & mouse game.

In this situation, I can only recommend that VLC be compiled without modplug 
support. This is normally achieved with the --disable-modplug command line 
option to the configure script. If you do not compile VLC yourself, you can 
alternatively erase the modplug plugin manually. Either way, VLC will not 
anymore be able to play tracker files, as there are currently no alternative 
VLC plugin for this functionality.

I would like to remind everyone that I generally do not write advisories for 
bugs in underlying libraries. I consider this a responsibility of packagers, 
not developers. Besides, I simply wouldn't have time to take care of such a 
large overall source code asset as the VLC "contribs".

Best regards,

Rémi Denis-Courmont

More information about the vlc-devel mailing list