[vlc] security issues in vlc 0.8.6c

Nico Golde nion at debian.org
Thu Jan 3 20:07:15 CET 2008 

Hi Rémi,
* Rémi Denis-Courmont <rdenis at simphalempin.com> [2008-01-03 19:55]:
> Le Wednesday 02 January 2008 21:59:51 Nico Golde, vous avez écrit :
> > I am currently investigating the latest vlc security issues
> > for Debian.
> > About CVE-2007-4619, in the NEWS file you say this is for
> > Windows and Mac OS Binaries. Does this vulnerability only
> > affect these two systems?
> 
> CVE-2007-4619 affects every operating systems, however as far as the VideoLAN 
> project is concerned, this only affects our binary releases, because we 
> statically link against libFLAC.

I should have checked the CVE id. I did not know that this 
is about flac, just saw it in the changelog and assumed that 
this is a specific vlc issue. Thanks! :)

> I think Debian links dynamically so VLC 
> itself would not need to be updated.

Yes sure.

> > For VideoLAN-SA-0703:
[...]
> > Is this the only change needed to fix this?
> 
> That's in the ActiveX plugin. Debian would not care about that patch.

CVE-2007-6262 (A certain ActiveX control in axvlc.dll in VideoLAN VLC 0.8.6 before ...)
    - vlc <not-affected> (Windows only issue)

Mhm we already had this one in our tracker. Can you add the CVE id to your announce to
make this more obvious to people?


> Other patches that I can think of, since 0.8.6c:
> 
> https://trac.videolan.org/vlc/changeset/22023
> https://trac.videolan.org/vlc/changeset/23198
> https://trac.videolan.org/vlc/changeset/23854
> https://trac.videolan.org/vlc/changeset/23855

Thank you very much, those help alot!

> That being noted, Etch (and worst yet Sarge) are both based upon development 
> versions. We don't keep track of security issues within development releases 
> given our limited resources. I would bet some security fixes are missing.

I did not mention this, I am not keeping track of this issue 
in stable, just testing & unstable. But I agree, it's really 
not nice to have the development versions in our stable 
releases.
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc/attachments/20080103/4765c19e/attachment.sig>

More information about the vlc mailing list