[Bug 113922] Re: vlc is potentially vulnerable to buffer overflow in specially crafted mp4 files

Tue, 16 Sep 2008 09:52:37 -0700 

seems that we already have this fix in intrepid:
vlc (0.8.6.release.h-1ubuntu1) intrepid; urgency=low

  * Merge from Debian unstable. (LP: #238873, #243450, #245563)
    Remaining changes:
    - Add PulseAudio support.
    - Enable (and build-depend on) x264 support.
    - Add Xb-Npp-.* fields to mozilla-plugin-vlc, for the Firefox plugin
      finder service.
    - Clean up debian/vlc.desktop.
    - Make vlc recommend vlc-plugin-pulse.
    - Install link to plugin in xulrunner 1.9 plugin directory.
    - Build against xul rather then iceape.
    - Rename the upstream tarball to match old Ubuntu convention.
    - Modify Maintainer value to match the DebianMaintainerField
      specification.

 -- William Grant <[EMAIL PROTECTED]>  Sun, 06 Jul 2008 21:53:26 +1000

vlc (0.8.6.h-1) unstable; urgency=high

  [ Christophe Mutricy ]
  * Acknowledge NMU by Nico Golde. Thanks.
  * Acknowledge NMU by Mike Hommey. Thanks.
  * New security upstrem release
    - Fix buffer overflow (CVE-2008-1881)
    - Fix out of bound array access (CVE-2008-1769)
    - Fix various integer overflow in MP4 demuxer, Cinepak, RTSP
      (CVE-2008-1489, CVE-2008-1768)
    - Remove 105_min_mkv.patch, 400-CVE-2008-1489.diff and
      401-CVE-2008-0073.diff, 402-CVE-2008-1881, 403-CVE-2008-1768.diff
      and 404-CVE-2008-1881 integrated upstream
  * Remove old transitional packages: vlc-plugin-alsa and wxvlc
    (Closes: #477543, #477545)
  * Add some magic for reportbug to ask people to remove their plugin cache
    and get the info for vlc-nox and libvlc0 also.

  [ Reinhard Tartler ]
  * added a watch file
  * new upstream release, refreshing patches

  [ Christophe Mutricy ]
  * Fix buffer overflow in Wav demux.(CVE-2008-2430)(Closes: #489004)
    (Patch taken from upstream: 401-CVE-2008-2430.diff)

 -- Christophe Mutricy <[EMAIL PROTECTED]>  Sat, 05 Jul 2008 23:45:15
+0100


** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-0073

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1489

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1768

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1769

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1881

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-2430

** Changed in: vlc (Ubuntu)
       Status: Confirmed => Fix Released

-- 
vlc is potentially vulnerable to buffer overflow in specially crafted mp4 files
https://bugs.launchpad.net/bugs/113922
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to