FS#62872 - Security fixes in VLC 3.0.7 and its dependencies
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 11 June 2019, 13:37 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 September 2019, 20:44 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 11 June 2019, 13:37 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 September 2019, 20:44 GMT
|
Details
VLC 3.0.7 was released a week ago (we still have 3.0.6 in
the repositories), and it's main author claims "This release
is a bit special, because it has more security issues fixed
than any other version of VLC":
http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security He specifically states that libfaad2 currently has no maintainer - hence I suggest backporting the fix or fixes from VLC's source tree. One example a quick search unearthed is this one: https://git.videolan.org/?p=vlc.git;a=blob;f=contrib/src/faad2/faad2-fix-overflows.patch On the Github mirror of libfaad2's SourceForge repository, there's a pull request with what seem to be additional security fixes: https://github.com/knik0/faad2/pull/36 The VLC changelog lists 24 security fixes for VLC 3.0.7, 5 of which are described as fixing multiple vulnerabilites, and most of them seem to reference external dependencies (although I'm not sure which of those entries apply to external dependencies and which apply to the glue code through which VLC uses those dependencies): https://www.videolan.org/developers/vlc-branch/NEWS |
This task depends upon