FS#46037 - [vlc] CVE-2015-5949: buffer overflow in 3GP leading to arbitrary code execution

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Thursday, 20 August 2015, 14:02 GMT
Last edited by Doug Newgard (Scimmia) - Thursday, 09 June 2016, 23:30 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Giovanni Scafora (giovanni)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Hi,

A security issue [1] has been found in the 3GP parser of VLC <= 2.2.1, allowing arbitrary code execution.
The patch [2] has been commited to the 2.2.x branch, but given that the patch is quite simple, I don't think we should wait for a new version to be released.

[1]: http://www.ocert.org/advisories/ocert-2015-009.html
[2]: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd

This task depends upon

Closed by  Doug Newgard (Scimmia)
Thursday, 09 June 2016, 23:30 GMT
Reason for closing:  Fixed
Additional comments about closing:  vlc 2.2.2-1
Comment by Samantha McVey (samcv) - Thursday, 09 June 2016, 17:24 GMT
Suggesting this package be closed since we are currently using VLC 2.2.4, which should have the fix in it.

Loading...