[vlc-devel] [PACKAGERS] libmodplug is teh suxxor
Laurent Aimar
fenrir at elivagar.org
Sun May 8 17:39:52 CEST 2011
On Sat, May 07, 2011 at 05:36:00PM +0300, Rémi Denis-Courmont wrote:
> Hello,
>
> As foretold by Nico Golde a month ago (
> http://mailman.videolan.org/pipermail/vlc-devel/2011-April/079653.html ),
> another security bug has been found in libmodplug:
> http://www.exploit-db.com/exploits/17222/
> Upstream has yet to provide a fix for this. And if I trust other code
> reviewer, this may only be the beginning of a cat & mouse game.
>
> In this situation, I can only recommend that VLC be compiled without modplug
> support. This is normally achieved with the --disable-modplug command line
> option to the configure script. If you do not compile VLC yourself, you can
> alternatively erase the modplug plugin manually. Either way, VLC will not
> anymore be able to play tracker files, as there are currently no alternative
> VLC plugin for this functionality.
libmodplug 0.8.8.3 is out and fixes this issue and a lot more. For me, it has become
harder to find samples (with zzuf) that segfaults than with avcodec for example (it
is not to say there isn't any issues of course).
--
fenrir
More information about the vlc-devel
mailing list