CVE-2013-1868

Benjamin Drung bdrung at debian.org
Wed Mar 20 20:54:30 UTC 2013


Am Mittwoch, den 20.03.2013, 13:56 +0200 schrieb Henri Salo:
> > VLC 2.0.3-5 from testing is (probably) affected and VLC 2.0.5-1 from
> > unstable is not affected.
> 
> Could you submit this information to security tracker after you have verified
> it?

It's fixed in VLC 2.0.5 according to upstream.

> > >     http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commitdiff;h=9b0414dc7f5c18ff2951175cf076779c444efd70
> > 
> > This git commit is not the correct commit.
> 
> Removed from security tracker. Do you know what is the correct commitdiff?

No. The commits between 2.0.4 and 2.0.5 needs to be checked. I found two
commits:

http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commitdiff;h=74ff87cc141bc1b88a38ee90f95b3d935c938a56
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commitdiff;h=8e8b02ff1720eb46dabe2864e79d47b40a2792d5

> > I would appreciate a bug report with an attached and tested patch.
> 
> I can submit a bug to BTS, but I don't have knowledge/skills to test this issue
> and currently no time to create patch for it. This is the reason I contacted you
> via email. Please note that the commitdiff-link was in the CVE-request in
> oss-security mailing list. I also prefer not to report the bug with unclear
> details.

Is there test case / file that triggers this bug?

-- 
Benjamin Drung
Debian & Ubuntu Developer




More information about the pkg-multimedia-maintainers mailing list