Ubuntu

memory corruption, code execution (CVE-2011-0531)

Reported by gialdo on 2011-02-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned

Bug Description

Binary package hint: vlc

The package "vlc" in the currently supported stable versions of Ubuntu is vulnerable:
http://www.videolan.org/security/sa1102.html
It's been fixed upstream on February 1 in version 1.1.7

Also the CVE isn't tracked here:
http://people.canonical.com/~ubuntu-security/cve/pkg/vlc.html

visibility: private → public
Benjamin Drung (bdrung) on 2011-02-06
Changed in vlc (Ubuntu):
status: New → Fix Released
Benjamin Drung (bdrung) wrote :

Attached the patches for maverick-security and lucid-security.

Benjamin Drung (bdrung) wrote :

Don't know if that's helpful but:
Fixed in debian squeeze for 1.1.3
http://www.debian.org/security/2011/dsa-2159

Sorry to ask, what's holding this one back?

Changed in vlc (Ubuntu Lucid):
status: New → In Progress
Changed in vlc (Ubuntu Maverick):
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

ACK to both lucid and maverick.

Changed in vlc (Ubuntu Lucid):
status: In Progress → Confirmed
Changed in vlc (Ubuntu Maverick):
status: In Progress → Confirmed
Changed in vlc (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in vlc (Ubuntu Maverick):
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! I have uploaded these to the security PPA and will publish them to the archive when they finish building.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 1.1.4-1ubuntu1.4

---------------
vlc (1.1.4-1ubuntu1.4) maverick-security; urgency=low

  * SECURITY UPDATE: memory corruption, code execution (LP: #714089)
    - debian/patches/mkv-input-validation.diff: Fix MKV improper input
      validation, thanks to Steve Lhomme
    - CVE-2011-0531
    - VideoLAN-SA-1102
 -- Benjamin Drung <email address hidden> Wed, 09 Feb 2011 23:52:19 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 1.0.6-1ubuntu1.5

---------------
vlc (1.0.6-1ubuntu1.5) lucid-security; urgency=low

  * SECURITY UPDATE: memory corruption, code execution (LP: #714089)
    - debian/patches/mkv-input-validation.diff: Fix MKV improper input
      validation, thanks to Steve Lhomme
    - CVE-2011-0531
    - VideoLAN-SA-1102
 -- Benjamin Drung <email address hidden> Thu, 10 Feb 2011 00:00:19 +0100

Changed in vlc (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in vlc (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers