Ubuntu
vlc package

<vlc-2.0.2: Ogg Heap buffer overflow & CVE-2012-2396

Bug #1020403 reported by Karma Dorje
This bug report is a duplicate of:  Bug #1025713: SRU request for VLC 2.0.2/2.0.3. Edit Remove
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gentoo Linux
Unknown
Medium
vlc (Debian)
Fix Released
Unknown
vlc (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
New
Undecided
Unassigned

Bug Description

It includes the following security content:

Fixed Ogg Heap buffer overflow
ogg: Fix a heap buffer overflow.
Reported by: An anonymous contributor working with the SecuriTeam Secure
Disclosure
program (http://www.beyondsecurity.com/ssd.html)
(cherry picked from commit 6a41b030f5b7fcbe5ad7249c374172c0fdc29add)
http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=16e9e126333fb7acb47d363366fee3deadc8331e

Updated taglib (CVE-2012-2396)

CVE References

Revision history for this message
In , Aballier (aballier) wrote :

Not much more information besides vlc-2.0.2 NEWS file:
Security:
 * Fix Ogg Heap buffer overflow

and this commit:
http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=16e9e126333fb7acb47d363366fee3deadc8331e

2.0.2 should be safe to stabilise though.

Revision history for this message
In , J-ago (j-ago) wrote :

ok to proceed with stabilization?

Karma Dorje (taaroa)
summary: - vlc-2.0.2: Ogg Heap buffer overflow & CVE-2012-2396
+ <vlc-2.0.2: Ogg Heap buffer overflow & CVE-2012-2396
visibility: private → public
Bug Watch Updater (bug-watch-updater)
Changed in vlc (Debian):
status: Unknown → Fix Released
Revision history for this message
Micah Gersten (micahg) wrote :

2.0.2 is in quantal

Changed in vlc (Ubuntu):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in gentoo:
importance: Unknown → Medium
Revision history for this message
In , Glsamaker (glsamaker) wrote :

CVE-2012-3377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3377):
  Heap-based buffer overflow in the Ogg_DecodePacket function in the OGG
  demuxer (modules/demux/ogg.c) in VideoLAN VLC media player before 2.0.2
  allows remote attackers to cause a denial of service (application crash) and
  possibly execute arbitrary code via a crafted OGG file.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.