Ubuntu
vlc package

  1. Xenial (16.04)
  2. Bug #1693893
  3. Comment #0

Comment 0 for bug 1693893

Revision history for this message
pcworld (pcworld) wrote : Possible remote code execution related to subtitles

VLC 2.2.5.1 fixes buffer overflow and out of bound read bugs related to subtitle decoding. A company called "Check Point" appears to have reported them, but they did not release any details. [1]
At least the following 5 commits relate to these bugs: [2]

Presumably all currently supported Ubuntu releases are affected by at least one bug fixed by the patches.

By the way, there seem to be other security related commits in VLC that might need backporting, e.g. [3] [4]

[1]: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
[2]: https://github.com/videolan/vlc/search?q=checkpoint&type=Commits&utf8=%E2%9C%93
[3]: https://github.com/videolan/vlc/search?o=desc&p=1&q=overflow&s=committer-date&type=Commits&utf8=%E2%9C%93
[4]: https://github.com/videolan/vlc/search?o=desc&q=out+of+bound&s=committer-date&type=Commits&utf8=%E2%9C%93