Hello, Le dimanche 10 avril 2011 18:34:34 Nico Golde, vous avez écrit : > * Remi Denis-Courmont <r...@remlab.net> [2011-04-10 09:36]: > > An exploitable memory corruption vulnerability has been publicized > > against libmodplug 0.8.8.1: > > http://seclists.org/fulldisclosure/2011/Apr/113 > > > > Upstream version 0.8.8.2 fixes the issue. > > How important is this library for vlc and others from an end-user > perspective? The code doesn't look like it was written with security in > mind and I guess it's only a matter of time for new issues to popup for > this lib.
I have not looked at the code. I believe it's the only way to decode trackers in VLC (and possibly other media frameworks) at the moment. I do not know any alternative OSS library for tracker decoding. Except for an alternative library, or for Chrome-style process separation, I think there is not much of a solution to that "problem". (Process separation would ruin performances, would not be portable, and would require man-years of development and big money.) -- Rémi Denis-Courmont http://www.remlab.info/ http://fi.linkedin.com/in/remidenis -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
