CVE request: VLC -- Stack-based buffer overflows in three demuxers

[Alex Legler <a3li () gentoo org>]

Hey,

just caught this at Secunia [1], can we please get a CVE?

"Some vulnerabilities have been reported in VLC Media Player, which can
be exploited by malicious people to potentially compromise a user's
system.

1) A boundary error exists within the "ASF_ObjectDumpDebug()" function
in modules/demux/asf/libasf.c. This can be exploited to cause a
stack-based buffer overflow via a specially crafted ASF file.

2) A boundary error exists within the "AVI_ChunkDumpDebug_level()"
function in modules/demux/avi/libavi.c. This can be exploited to cause
a stack-based buffer overflow via a specially crafted AVI file.

3) A boundary error exists within the "__MP4_BoxDumpStructure()"
function in modules/demux/mp4/libmp4.c. This can be exploited to cause
a stack-based buffer overflow via a specially crafted MP4 file."

Commits containing the fixes:

1)
http://git.videolan.org/?p=vlc.git;a=commit;h=dfe7084e8cc64e9b7a87cd37065b59cba2064823

2)
http://git.videolan.org/?p=vlc.git;a=commit;h=861e374d03e6c60c7d3c98428c632fe3b9e371b2

3)
http://git.videolan.org/?p=vlc.git;a=commit;h=c5b02d011b8c634d041167f4d2936b55eca4d18d

Thanks,
Alex

[1] http://secunia.com/advisories/36762/

Attachment: signature.asc
Description: