Bug#775866: vlc: multiple vulnerabilities

2015-01-26 Thread Moritz Muehlenhoff
On Mon, Jan 26, 2015 at 05:33:30PM +0100, Sebastian Ramacher wrote: > On 2015-01-26 13:49:26, Moritz Mühlenhoff wrote: > > On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: > > > * The potential invalid writes in modules/services_discovery/sap.c and > > > modules/access/ftp.c wer

Bug#775866: vlc: multiple vulnerabilities

2015-01-26 Thread Sebastian Ramacher
On 2015-01-26 13:49:26, Moritz Mühlenhoff wrote: > On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: > > * The potential invalid writes in modules/services_discovery/sap.c and > > modules/access/ftp.c were not fixed as I did not provide a > > trigger. Note, that the code looks

Bug#775866: vlc: multiple vulnerabilities

2015-01-26 Thread Moritz Mühlenhoff
On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: > * The potential invalid writes in modules/services_discovery/sap.c and > modules/access/ftp.c were not fixed as I did not provide a > trigger. Note, that the code looks very similar to the confirmed bug > in rtp_packetize_xi

Bug#775866: vlc: multiple vulnerabilities

2015-01-21 Thread Sebastian Ramacher
On 2015-01-20 21:47:26, Yves-Alexis Perez wrote: > * Null-pointer dereference in dmo codec: > > https://github.com/videolan/vlc/commit/229c385a79d48e41687fae8b4dfeaeef9c8c3eb7 No CVE was issued for this bug, so I'll omit that patch. Cheers -- Sebastian Ramacher signature.asc Description: Di

Bug#775866: vlc: multiple vulnerabilities

2015-01-21 Thread Sebastian Ramacher
On 2015-01-20 21:47:26, Yves-Alexis Perez wrote: > And there are unfixed ones: > > * The potential buffer overflow in the Dirac Encoder was not fixed as > the Dirac encoder no longer exists in the master branch. Similarly, 2.2.0~rc2-1 no longer contains the Dirac encoder, so this only affects w

Bug#775866: vlc: multiple vulnerabilities

2015-01-21 Thread Moritz Muehlenhoff
On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: > Source: vlc > Version: 2.1.5-1 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > multiple vulnerabilities were reported against vlc 2.1.5. The complete > mail is at http://seclists.org/oss-sec/20

Bug#775866: vlc: multiple vulnerabilities

2015-01-20 Thread Salvatore Bonaccorso
Hi! On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote: > CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so > a > DSA might be needed. They were assigned now: http://www.openwall.com/lists/oss-security/2015/01/20/11 Regards, Salvatore -- To UNSUBSCR

Bug#775866: vlc: multiple vulnerabilities

2015-01-20 Thread Yves-Alexis Perez
Source: vlc Version: 2.1.5-1 Severity: grave Tags: security Justification: user security hole Hi, multiple vulnerabilities were reported against vlc 2.1.5. The complete mail is at http://seclists.org/oss-sec/2015/q1/187 but at least the following vulnerabilities are fixed in vlc master branch: *