CLD-140 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
vlc |
Deficiency Type |
SECURITY |
Date Created |
2017-11-21 20:34:30 |
Date Last Modified |
2017-12-05 22:25:30 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in vlc-2.2.8-i686-1 |
Cucumber 1.0 x86_64 | fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1 |
Cucumber 1.1 i686 |
fixed in vlc-2.2.8-i686-1 |
Cucumber 1.1 x86_64 |
fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1 |
Details:
plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows
remote attackers to cause a denial of service (heap corruption and application
crash) or possibly have unspecified other impact via a crafted FLAC file
(https://nvd.nist.gov/vuln/detail/CVE-2017-9300).
As of Thu Nov 23 13:36:19 EST 2017:
This is very interesting. Debian claims that this vulnerability was fixed in VLC
2.2.7; however, according to the VLC website (http://www.videolan.org/) version
2.2.7 doesn't exist; the newest version is 2.2.6. To make things weirder though,
their download server (http://get.videolan.org/vlc/) does appear to have not
only a version 2.2.7, but also a version 2.2.8, both of which were uploaded on
November 21, 2017. It is unclear to me whether these are future releases that
fix this vulnerability and just haven't been announced yet or development
versions that are not stable and therefore not ready for production use. Their
sucurity tracker post about CVE-2017-10699 [CLD-141]
(https://trac.videolan.org/vlc/ticket/18467) seems to hint at the latter, so we
will wait for more information before we upgrade.