[Secure-testing-team] fixed vlc packages for VideoLAN-SA-0702
Micah Anderson
micah at riseup.net
Fri Jun 22 11:48:23 UTC 2007
Hi Sam,
Sam Hocevar wrote:
> Dear security and testing-security teams,
>
> I have prepared sarge and etch packages for the VideoLAN-SA-0702
This VideoLAN advisory is associated with CVE-2007-3316
> advisory (found at http://www.videolan.org/sa0702.html). I took the
> liberty to fix other DoS and buffer overflow bugs in the package, if you
This is great, do you know if these other issues have CVE issues associated with
them?
The only other one I can find that seems associated with VLC in the Mitre CVE
list is:
CVE-2007-0256 (VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of
...) which is associated with debian bug #407290
Is this what 111_memleak.diff fixes?
If so, it would be good to try and associate the other issues (in
113_overflows.diff, 112_missingchecks.diff and 114_uninitialised.diff) with CVE
ids. If there are no CVE IDs assigned for these, can you provide a reference to
where these came from and we can get some assigned?
> Lenny is vulnerable to all holes in the advisory. Packages are here:
> http://people.zoy.org/~sam/vlc/0.8.6.a.debian-6lenny1/
>
> Sid is vulnerable to all holes in the advisory. The fixed packages
> will be 0.8.6.c.debian-1.
Please go ahead and upload the fixed versions to sid as soon as possible
(urgency=high). I've noted these versions in the security tracker.
Thanks,
Micah
More information about the Secure-testing-team
mailing list