Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#62872 - Security fixes in VLC 3.0.7 and its dependencies

Attached to Project: Arch Linux
Opened by Pascal E. (hardfalcon) - Tuesday, 11 June 2019, 13:37 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 10 September 2019, 20:44 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


VLC 3.0.7 was released a week ago (we still have 3.0.6 in the repositories), and it's main author claims "This release is a bit special, because it has more security issues fixed than any other version of VLC":

He specifically states that libfaad2 currently has no maintainer - hence I suggest backporting the fix or fixes from VLC's source tree. One example a quick search unearthed is this one:;a=blob;f=contrib/src/faad2/faad2-fix-overflows.patch

On the Github mirror of libfaad2's SourceForge repository, there's a pull request with what seem to be additional security fixes:

The VLC changelog lists 24 security fixes for VLC 3.0.7, 5 of which are described as fixing multiple vulnerabilites, and most of them seem to reference external dependencies (although I'm not sure which of those entries apply to external dependencies and which apply to the glue code through which VLC uses those dependencies):
This task depends upon

Closed by  Levente Polyak (anthraxx)
Tuesday, 10 September 2019, 20:44 GMT
Reason for closing:  Fixed