** Changed in: vlc (Ubuntu Dapper)
Status: New = Invalid
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
Dapper server support is until June 2011, so it can be fixed.
** Changed in: vlc (Ubuntu Dapper)
Status: Invalid = New
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are
Dapper is not supported anymore since July 2009, therefore I mark Dapper
status to invalid.
** Changed in: vlc (Ubuntu Dapper)
Status: Confirmed = Invalid
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received
Are you serious? This bug has been present in Dapper for such a long
time, yet nobody cares to fix it. How can you call your LTS releases
'enterprise-ready' when this kind of monstrous vulnerabilities are left
unpatched for years?
--
vlc before 0.8.6c allows arbitrary code execution via a
@Tiberiu:
VLC is in multiverse/universe pocket...therefore it's not supported by
package definition of Canonical
Only main and restricted are supported...everything else is community
effort...which is demandable.
Feel free to provide debdiffs for the dapper package...we are happy to
review
Feisty also needs to close, but can't close it as 'Wont Fix', could
someone please do this?
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Changed in: vlc (Ubuntu Feisty)
Status: Confirmed = Won't Fix
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Closing Edgy as it is end-of-lifed.
** Changed in: vlc (Ubuntu Edgy)
Status: Confirmed = Won't Fix
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are a member of Ubuntu
New vulnerabilities classified as moderately critical by secunia in VLC
were discovered and fixed in 0.8.6h http://secunia.com/advisories/30560/
. All VLC versions prior to 0.8.6h are subject to this vulnerability.
Perhaps that the ubuntu security team should change the bug title and
consider
I've subscribed Emanuele Gentili to this bug. Since he's provided
updated packages for VLC just some time ago (see Bug #195949), it would
be great if he could take a look at this one.
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
I'm wondering if it wouldn't be better to just backport the current VLC
to the stable releases' backports repositories if it's not possible to
publish security updates in time. Better to have a leap in versions
than to leave users behind with vulnerable software. But then there
would have to be
** Changed in: vlc
Status: New = Fix Released
** Bug watch added: Debian Bug tracker #429726
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429726
** Also affects: vlc (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429726
Importance: Unknown
Status:
I'm working on patches for Dapper, Edgy and Feisty, but it's taking a bit of
digging, because vlc upstream doesn't actually bother to publish patches.
Thanks vlc upstream.
Here's a Debian bug link for -0256, because LP doesn't like having multiple
Debian tasks. Thanks LP.
The documentation on these vulnerabilites is *absolutely shocking*, so
I'm attaching the bits here as I find them.
** Attachment added: Patch for CVE-2007-3316
http://launchpadlibrarian.net/10317358/CVE-2007-3316.diff
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of
Upstream bug for -0256:
http://trac.videolan.org/vlc/ticket/992
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
-0256 was backported in commit 18587.
** Attachment added: Patch for CVE-2007-0256
http://launchpadlibrarian.net/10317805/CVE-2007-0256.diff
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug
-3468 is fixed in upstream commit 20445.
** Attachment added: CVE-2007-3468
http://launchpadlibrarian.net/10317780/CVE-2007-3468.diff
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification
http://trac.videolan.org/vlc/changeset/20443 looks like it probably
fixes CVE-2007-3467, but I'm really not sure. It is related, within a
day of the notification, and I can't see anything else that might have
fixed it.
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of
** Changed in: vlc (Debian)
Status: Unknown = Fix Released
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for
I'm sorry, but I fear deb-packaging is beyond my scope (just not to say
abilities...) for the time being :-(
So I'll stick to reporting bugs as they come to my knowledge for now.
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Seems like the fixed packages for dapper got released; I got them
yesterday evening via dapper-security.
Curiously, /usr/share/doc/vlc/changelog.Debian.gz doesn't refer or even
mention this bug report or it's CVE references, so I'm wondering what
got fixed in the new packages...?
--
vlc before
The vlc dapper released a few days ago (0.8.4.debian-1ubuntu6.1) was
actually an old fix (bug 78610) that had gotten stuck in the security
build queue. If you're interested in creating debdiffs and testing
fixes for the issues in this report, I'd be happy to apply them and get
them uploaded.
** Also affects: vlc (upstream)
Importance: Undecided
Status: New
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-3467
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-3468
--
vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
https://bugs.launchpad.net/bugs/122207
You received this bug
Updated packages for Debian Oldstable (Sarge), Stable (Etch) and
Unstable (Sid) have been announced on Debian's security mailing list and
are already available. The according Debian Security Advisory should
soon be available at
http://www.debian.org/security/2007/dsa-1332
(link provides 404 at
fixed in gutsy
vlc (0.8.6.release.c-0ubuntu1) gutsy; urgency=low
* SECURITY UPDATE: Format string injection in multiple plugins could
lead to arbitrary code execution and/or DoS.
* New upstream security and bugfix release, 0.8.6c (LP: #121511).
* References
CVE-2007-0256
26 matches
Mail list logo
