oss-sec mailing list archives
RE: VideoLAN TiVo Demuxer Duplicate CVEs (CVE-2011-5231 and CVE-2012-0023)
From: "Christey, Steven M." <coley () mitre org>
Date: Tue, 30 Oct 2012 17:59:28 +0000
Sean, Thank you for noticing this. CVE-2011-5231 was an accidental duplicate of CVE-2012-0023, and it was only released a couple days ago. CVE-2012-0023 has been in use since January. Google search results show that CVE-2012-0023 has many more hits. Even though the issue was first published in December 2011 and CVE-2012-0023 has "2012" in the name, this off-by-one is very common for identifiers for issues published in December/January of any year. So, even though it's not "aesthetically appropriate," keep CVE-2012-0023 and REJECT CVE-2011-5231. - Steve -----Original Message----- From: Sean Amoss [mailto:ackle () gentoo org] Sent: Monday, October 29, 2012 2:27 PM To: Common Vulnerabilities & Exposures; Steven M. Christey Cc: oss-security () lists openwall com; Gentoo Linux Security Team; xtophe () videolan org Subject: VideoLAN TiVo Demuxer Duplicate CVEs (CVE-2011-5231 and CVE-2012-0023) Steve, MITRE, vendors: It appears that there may be two CVE's for the same issue: CVE-2011-5231 - Double free vulnerability in the get_chunk_header function in modules/demux/ty.c in VideoLAN VLC media player 0.9.0 through 1.1.12 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TiVo (TY) file. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5231 References to http://www.videolan.org/security/sa1108.html ======================================================================= CVE-2012-0023 - Buffer overflow in VLC TiVo demuxer CVE Assignment: http://www.openwall.com/lists/oss-security/2012/01/03/12 References http://www.videolan.org/security/sa1108.html in assignment above Thanks, Sean -- Sean Amoss Gentoo Security | GLSA Coordinator E-Mail : ackle () gentoo org GnuPG FP : E58A AABD DD2D 03AF 0A7A 2F14 1877 72EC E928 357A
Current thread:
- VideoLAN TiVo Demuxer Duplicate CVEs (CVE-2011-5231 and CVE-2012-0023) Sean Amoss (Oct 29)
- RE: VideoLAN TiVo Demuxer Duplicate CVEs (CVE-2011-5231 and CVE-2012-0023) Christey, Steven M. (Oct 30)