diff -u vlc-1.0.6/debian/changelog vlc-1.0.6/debian/changelog
--- vlc-1.0.6/debian/changelog
+++ vlc-1.0.6/debian/changelog
@@ -1,3 +1,13 @@
+vlc (1.0.6-1ubuntu1.8) lucid-security; urgency=low
+
+  * SECURITY UPDATE: Heap overflow in AVI demuxer (LP: #807488)
+    - debian/patches/CVE-2011-2588.patch: AVI: fix heap buffer overflow,
+      thanks to Rémi Denis-Courmont
+    - CVE-2011-2588
+    - VideoLAN-SA-1106
+
+ -- Benjamin Drung <bdrung@ubuntu.com>  Mon, 18 Jul 2011 16:15:19 +0200
+
 vlc (1.0.6-1ubuntu1.7) lucid-security; urgency=low
 
   * SECURITY UPDATE: Integer overflow in XSPF playlist parser (LP: #795410)
diff -u vlc-1.0.6/debian/patches/series vlc-1.0.6/debian/patches/series
--- vlc-1.0.6/debian/patches/series
+++ vlc-1.0.6/debian/patches/series
@@ -25,0 +26 @@
+CVE-2011-2588.patch
only in patch2:
unchanged:
--- vlc-1.0.6.orig/debian/patches/CVE-2011-2588.patch
+++ vlc-1.0.6/debian/patches/CVE-2011-2588.patch
@@ -0,0 +1,29 @@
+From: Rémi Denis-Courmont <remi@remlab.net>
+Subject: [PATCH 2/2] AVI: fix heap buffer overflow (CVE-2011-2588)
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commit;h=6953ce0862161d09c2b7ca8686a550527a11b9a2
+
+---
+ modules/demux/avi/libavi.c |    5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/modules/demux/avi/libavi.c
++++ b/modules/demux/avi/libavi.c
+@@ -379,7 +379,8 @@
+         case( AVIFOURCC_vids ):
+             p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */
+             p_chk->strf.vids.i_cat = VIDEO_ES;
+-            p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size );
++            p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size,
++                                         sizeof( *p_chk->strf.vids.p_bih ) ) );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth );
+             AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight );
+@@ -395,7 +396,7 @@
+             {
+                 p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size;
+             }
+-            if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 )
++            if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) )
+             {
+                 memcpy( &p_chk->strf.vids.p_bih[1],
+                         p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */