On Tue, Jul 13, 2010 at 10:01:13 (EDT), Rémi Denis-Courmont wrote:

>> Ping maintainers and debian security team. Indicate the security
>> issue, the patch and or new tarball.
> It's not like it's not known:
> http://security-tracker.debian.org/tracker/status/release/stable

it lists 4 CVEs: CVE-2010-1441 - 1445, all of them only affecting the
0.8 series and without any details.  So this piece of information is
pretty useless for identifying missing changes in 0.8.x. A tad more
insightful is http://www.videolan.org/security/sa1003.html, which at
least mentions:

 - Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders
 - Invalid memory access in AVI, ASF, Matroska (MKV) demuxers
 - Invalid memory access in XSPF playlist parser
 - Invalid memory access in ZIP archive decompressor
 - Heap buffer overflow in RTMP access

I guess each of them match to the respective CVE number.

BTW, this is only half the story you mentioned in the beginning
of this thread.

> It's more like nobody cares.

I dont't think that's accurate. I'd rather guess that there is no one
in the distro camp that knows how to match these 5 issues to patches
that fix them.

Reinhard Tartler, KeyID 945348A4

pkg-multimedia-maintainers mailing list

Reply via email to