please update VLC to version 2.1.3

This bug was fixed in the package vlc - 2.1.4-1

---------------
vlc (2.1.4-1) unstable; urgency=medium

  * New upstream release (Closes: #742625, LP: #1276650)
  * SECURITY UPDATE: crafted ASF file handling integer divide-by-zero DoS
    - CVE-2014-1684
    (Closes: #743033)

 -- Benjamin Drung <email address hidden> Sun, 11 May 2014 00:57:13 +0200

I have prepared 2.1.4 for trusty-security. You can get the source package by grabbing the .orig.tar.xz tarball from unstable/utopic (or from the pristinet-tar branch) and running:

git clone -b trusty git://git.debian.org/git/pkg-multimedia/vlc.git
cd vlc
git-buildpackage -S

The source package builds cleanly with pbuilder.

Would it be possible to provide a signed source package or a debdiff on top of the utopic package for trusty? This is preferred over grabbing a git snapshot (especially one the size of vlc).

Here's the debdiff for utopic -> trusty-security.

And here are the signed .dsc file + debian.tar.gz.

Thanks! Comparing this to 2.1.2-2build2 I see that gbp.conf was changed and debian/upstream/signing-key.asc and debian/upstream-signing-key.pgp are new. I added an entry to the changelog for gbp.conf, but what are the signing keys? Why are is the .pgp in debian/ but .asc in debian/upstream?

FYI, I don't consider the signing keys a blocker (they are just some extra files in debian/ and don't otherwise affect the software), and they are already in the utopic version. I've uploaded this to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages. Once it is done building, please test and give feedback here. Once the feedback is received, I can push them out.

debian/upstream-signing-key.pgp was renamed to debian/upstream/signing-key.asc. The filename extension was corrected from .gpg to .asc because the key is armored. The signing key is just for verifying the orig tarball and has no effect on the binary package. The gbp.conf file is just the configuration file for git-buildpackage and also has no effect on the binary.

Thanks for the upload.

I upgraded VLC to the version from the security-proposed PPA. It tested it with various kinds of videos without problems.

Thanks!

This bug was fixed in the package vlc - 2.1.4-0ubuntu14.04.1

---------------
vlc (2.1.4-0ubuntu14.04.1) trusty-security; urgency=medium

  * New upstream release (Closes: #742625, LP: #1276650)
  * SECURITY UPDATE: crafted ASF file handling integer divide-by-zero DoS
    - CVE-2014-1684
  * debian/gbp.conf: update for trusty
 -- Benjamin Drung <email address hidden> Sun, 11 May 2014 21:31:11 +0200