Bug#811519: vlc: avio plugin leaks file content
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Tue Jan 19 19:40:35 UTC 2016
On 19.01.2016 20:32, Rémi Denis-Courmont wrote:
> On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote:
>> How is CVE-2016-1897 not fully fixed?
>>
>> Rémi, please share details about any remaining vulnerability with
>> <ffmpeg-security at ffmpeg.org>.
>
> This is a VLC vulnerability and I can´t share it with my own self.
However, you suggest that the underlying problem is in libavformat.
> Besides the
> underlying issue has already been discussed with upstream libav.
But they haven't applied any fix for it, yet.
> There is plenty of information available already to reproduce the problem.
I can reproduce the problem with ffmpeg 2.8.4, but not with 2.8.5.
> I don´t want to publish an exact proof-of-concept against "my" own software,
> especially not before VLC 2.2.2 gets released.
<ffmpeg-security at ffmpeg.org> is a private mailing list that can deal with
embargoed information. So please provide more details there.
Best regards,
Andreas
More information about the pkg-multimedia-maintainers
mailing list