*** This bug is a security vulnerability *** Public security bug reported:
VLC 2.2.5.1 fixes buffer overflow and out of bound read bugs related to subtitle decoding. A company called "Check Point" appears to have reported them, but they did not release any details. [1] At least the following 5 commits relate to these bugs: [2] Presumably all currently supported Ubuntu releases are affected by at least one bug fixed by the patches. By the way, there seem to be other security related commits in VLC that might need backporting, e.g. [3] [4] [1]: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ [2]: https://github.com/videolan/vlc/search?q=checkpoint&type=Commits&utf8=%E2%9C%93 [3]: https://github.com/videolan/vlc/search?o=desc&p=1&q=overflow&s=committer-date&type=Commits&utf8=%E2%9C%93 [4]: https://github.com/videolan/vlc/search?o=desc&q=out+of+bound&s=committer-date&type=Commits&utf8=%E2%9C%93 ** Affects: vlc (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1693893 Title: Possible remote code execution related to subtitles To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/1693893/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
