Wheezy update of vlc?

Reinhard Tartler siretart at tauware.de
Mon May 30 02:10:20 UTC 2016 

On 2016-05-29 13:53, Thorsten Alteholz wrote:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of vlc:
> https://security-tracker.debian.org/tracker/CVE-2016-5108
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts at lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether 
> you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> Thank you very much.
> 
> Thorsten Alteholz,
>   on behalf of the Debian LTS team.
> 
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

The following command should yield to a more or less good starting point 
for a new upload that addresses the issue mentioned in that CVE:

   git clone git://git.debian.org/pkg-multimedia/vlc
   git checkout wheezy
   git checkout master -- 
debian/patches/adpcm-reject-invalid-QuickTime-IMA-files.patch
   echo  adpcm-reject-invalid-QuickTime-IMA-files.patch >> 
debian/patches/series
   dch -i

I glanced over https://wiki.debian.org/LTS/Development, but that 
procedure seems pretty involved. I'd appreciate if someone else could 
take over the necessary bureaucracy. Note that I did not test the patch 
myself because I was unable to find accurate documentation about what 
the issue is, or what test sample can be used to verify the presence or 
absence of the bug.

Also note that 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5108 doesn't 
provide and useful information about this issue. Is that issue also 
known by a different identifier?

Cheers,
Reinhard

More information about the pkg-multimedia-maintainers mailing list