Bug#775866: vlc: multiple vulnerabilities
Yves-Alexis Perez
corsac at debian.org
Tue Jan 20 20:47:26 UTC 2015
Source: vlc
Version: 2.1.5-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
multiple vulnerabilities were reported against vlc 2.1.5. The complete
mail is at http://seclists.org/oss-sec/2015/q1/187 but at least the
following vulnerabilities are fixed in vlc master branch:
* Buffer overflow in updater:
https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14
* Buffer overflow in mp4 demuxer:
https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39
* Potential buffer overflow in Schroedinger Encoder
https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5
* Invalid memory access in rtp code:
https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97
* Null-pointer dereference in dmo codec:
https://github.com/videolan/vlc/commit/229c385a79d48e41687fae8b4dfeaeef9c8c3eb7
And there are unfixed ones:
* The potential buffer overflow in the Dirac Encoder was not fixed as
the Dirac encoder no longer exists in the master branch.
* The potential invalid writes in modules/services_discovery/sap.c and
modules/access/ftp.c were not fixed as I did not provide a
trigger. Note, that the code looks very similar to the confirmed bug
in rtp_packetize_xiph_config, and so I leave it to you to decide
whether you want to patch this.
CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so a
DSA might be needed.
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the pkg-multimedia-maintainers
mailing list