URL format string injection in CDDA and VCDX plugins
Bug #78610 reported by
Xtophe
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vlc (Debian) |
Fix Released
|
Unknown
|
|||
vlc (Ubuntu) |
Fix Released
|
High
|
Daniel T Chen | ||
Breezy |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Fix Released
|
Undecided
|
Unassigned | ||
Edgy |
Fix Released
|
Undecided
|
magilus | ||
Feisty |
Fix Released
|
High
|
Daniel T Chen |
Bug Description
Binary package hint: vlc
This is a security problem.
VLC media player CDDA (CD Digital Audio) and VCDX (Video CD) plugins are prone to a C-style format string vulnerability when trying to open a media resource location. The bug occurs when handling error and debug messages from underlying library libcdio.
Because the VCDX plugins probes every media resource location unless another plugin successfully opened the resource, almost any invalid location can trigger the bug.
See http://
It is referenced under CVE-2007-0017, VideoLAN-SA-0701, MOAB-02-01-2007
CVE References
Changed in vlc: | |
status: | Unknown → Fix Released |
Changed in vlc: | |
assignee: | nobody → pirast |
status: | Unconfirmed → Confirmed |
Changed in vlc: | |
assignee: | nobody → pirast |
status: | Unconfirmed → In Progress |
assignee: | pirast → crimsun |
Changed in vlc: | |
assignee: | nobody → pirast |
status: | Unconfirmed → In Progress |
Changed in vlc: | |
status: | In Progress → Fix Committed |
Changed in vlc: | |
assignee: | pirast → nobody |
status: | In Progress → Confirmed |
To post a comment you must log in.
I forgot to say it affects VLC version 0.7.0 to O.8.6. So all version in Ubuntu are concerned.