Bug#811519: vlc: avio plugin leaks file content

Sebastian Ramacher sramacher at debian.org
Tue Jan 19 16:27:27 UTC 2016


Control: reassign -1 src:ffmpeg 7:2.8.4-1
Control: retitle -1 ffmpeg: needs to build with --disable-protocol=concat to really fix CVE-2016-1897

On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote:
> Package: vlc
> Version: 2.2.1-5+b1
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> Dear Maintainer,
> 
> With a carefully crafted URL, the VLC avio plugin can be made to leak
> content of local files to remote parties.
> The root cause is the same as CVE-2016-1897.
> 
> See also:
> 
> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html

There is nothing to be done in the vlc package. Reassigning to ffmpeg. It needs
to be built with --disable-protocol=concat.

Cheers
-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20160119/ddaf22cd/attachment-0001.sig>


More information about the pkg-multimedia-maintainers mailing list