![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Re: CVE request: VLC <1.0.6 Multiple issues
From: Josh Bressers <bressers () redhat com>
Date: Wed, 28 Apr 2010 16:28:27 -0400 (EDT)
----- "Alex Legler" <a3li () gentoo org> wrote:
VLC media player suffers from various vulnerabilities when attempting to parse malformatted or overly long byte streams. * Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders * Invalid memory access in AVI, ASF, Matroska (MKV) demuxers * Invalid memory access in XSPF playlist parser * Inavlid memory access in ZIP archive decompressor * Heap buffer overflow in RTMP access http://www.videolan.org/security/sa1003.html
I'm going to trust the upstream advisory regarding version information, so here goes: The affected versions are VLC media player 1.0.5 down to 0.5.0 This is fixed in version 1.0.6 and 1.1.0 The flaws appear to be split based on where in the vlc source they occur. I'm going to keep the upstream mapping for CVE ids, as it's possible certain other project will have cherry picked the source. CVE-2010-1441 VLC Heap buffer overflow in A/52, DTS and MPEG Audio decoders CVE-2010-1442 VLC Invalid memory access in AVI, ASF, Matroska (MKV) demuxers CVE-2010-1443 VLC Invalid memory access in XSPF playlist parser CVE-2010-1444 VLC Inavlid memory access in ZIP archive decompressor CVE-2010-1445 VLC Heap buffer overflow in RTMP access Thanks -- JB
Current thread:
- CVE request: VLC <1.0.6 Multiple issues Alex Legler (Apr 22)
- Re: CVE request: VLC <1.0.6 Multiple issues Josh Bressers (Apr 28)