Please merge vlc 1.0.1-1 from Debian unstable (main)

Bug #406602 reported by freddy3980 on 2009-07-29
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Wishlist
Unassigned

Bug Description

Here's a short changelog:

    * fix flv and mpeg2 seeking,
    * fixes for wmv, wav, rtsp and ssa support,
    * fixes for Qt and Mac OS X interface,
    * fix an integer underflow in Real pseudo-RTSP module,
    * updates of some translations,
    * port of the ZVBI module to Windows for full teletext support and
    * codecs updates for Windows and Mac OS X versions.

Related branches

CeesSluis (testcees) wrote :

VLC Media Player 0.9.9 for Windows is vulnerable; other versions may also be affected. See http://www.securityfocus.com/bid/35500
This security issue is solved in the new version.

Tom rooze.sen (tomrooze-sen) wrote :

Please enter a security update VLC 0.0.9a to 1.0.1.
Grtz Tom,

Pjotr12345 (computertip) wrote :

Please update quickly. Also for Hardy: VLC is still 0.8.6e in Ubuntu 8.04 LTS!

Security holes should be fixed as soon as possible. This is not acceptable.

Pjotr12345 (computertip) wrote :

Additional thought:
VLC is a Multiverse package, and Multiverse packages are treated differently from the rest.

But when a package is as widely used as VLC, nearly everyone installs it, it shouldn't be left to the PPA to provide security updates.

security vulnerability: no → yes
Adil Arif (adisari06) on 2009-07-30
affects: ubuntu → vlc (Ubuntu)
CeesSluis (testcees) wrote :

The security issue is described on http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2484

But this page is about "when running on Microsoft Windows". Has this vulnerability no security impact on Linux/Ubuntu?

Krzysztof Klimonda (kklimonda) wrote :

Based on description of both commit (http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f) and vulnerability itself I'd say that this isn't really a problem on Linux (the code affected isn't even compiled on Linux).

security vulnerability: yes → no
Krzysztof Klimonda (kklimonda) wrote :

@Pjotr12345: Hardy follows our SRU policy, no new version of packages (with few exceptions) are allowed. Only fixes for some bugs are backported. There were already 3 updates for VLC in Hardy.
But still package should be merged from Debian.

Changed in vlc (Ubuntu):
importance: Undecided → Wishlist
summary: - Please update VLC to version 1.0.1
+ Please merge transmission 1.0.1-1 from Debian unstable (main)
Felix Geyer (debfx) on 2009-08-01
summary: - Please merge transmission 1.0.1-1 from Debian unstable (main)
+ Please merge vlc 1.0.1-1 from Debian unstable (main)
Changed in vlc (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 1.0.1-1ubuntu1

---------------
vlc (1.0.1-1ubuntu1) karmic; urgency=low

  * Merge from Debian unstable (LP: #406602, #407570), remaining changes:
    - build against xulrunner-dev instead of iceape-dev
    - build against libass-dev and libx264-dev
    - build against and install libx264 plugin
    - add Xb-Npp header to vlc package

vlc (1.0.1-1) unstable; urgency=low

  * New upstream bugfix version
    + Fix interger underflow in Real RTSP (DZC-2009-001, CVE pending)
    + Fix crashes in xspf files handler (LP: #365638)

  [ Reinhard Tartler ]
  * Add versioned build dependency on libschroedinger-dev

  [ Christophe Mutricy ]
  * Really build altivec-free libvlccore (Closes: #523035)
  * Depends on libdvbpsi5-dev and protect against future renaming of
    libdvbpsi development package
  * Remove patches applied upstream

 -- ALEFHAHMEEMDAL ALEFLAMMEEMHAHMEEMWAWDALYEH (Ahmed El-Mahmoudy) <email address hidden> Sat, 01 Aug 2009 05:54:24 +0300

Changed in vlc (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers