[vlc] security issues in vlc 0.8.6c
Rémi Denis-Courmont
rdenis at simphalempin.com
Thu Jan 3 19:51:01 CET 2008
Le Wednesday 02 January 2008 21:59:51 Nico Golde, vous avez écrit :
> Hi,
> I am currently investigating the latest vlc security issues
> for Debian.
> About CVE-2007-4619, in the NEWS file you say this is for
> Windows and Mac OS Binaries. Does this vulnerability only
> affect these two systems?
CVE-2007-4619 affects every operating systems, however as far as the VideoLAN
project is concerned, this only affects our binary releases, because we
statically link against libFLAC. I think Debian links dynamically so VLC
itself would not need to be updated.
> For VideoLAN-SA-0703:
> VLCPlugin::~VLCPlugin()
> {
> + /*
> + ** bump refcount to avoid recursive release from
> + ** following interfaces when releasing this interface
> + */
> + AddRef();
> +
>
> Is this the only change needed to fix this?
That's in the ActiveX plugin. Debian would not care about that patch.
Other patches that I can think of, since 0.8.6c:
https://trac.videolan.org/vlc/changeset/22023
https://trac.videolan.org/vlc/changeset/23198
https://trac.videolan.org/vlc/changeset/23854
https://trac.videolan.org/vlc/changeset/23855
That being noted, Etch (and worst yet Sarge) are both based upon development
versions. We don't keep track of security issues within development releases
given our limited resources. I would bet some security fixes are missing.
Regards,
--
Rémi Denis-Courmont
http://www.remlab.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.videolan.org/pipermail/vlc/attachments/20080103/7c5ecdbf/attachment.sig>
More information about the vlc
mailing list