CLD-140 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-9300 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) vlc
Deficiency Type SECURITY
Date Created 2017-11-21 20:34:30
Date Last Modified 2017-12-05 22:25:30

Version Specific Information:

Cucumber 1.0 i686fixed in vlc-2.2.8-i686-1
Cucumber 1.0 x86_64fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1

Cucumber 1.1 i686 fixed in vlc-2.2.8-i686-1
Cucumber 1.1 x86_64 fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1

Details:

plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows
remote attackers to cause a denial of service (heap corruption and application
crash) or possibly have unspecified other impact via a crafted FLAC file
(https://nvd.nist.gov/vuln/detail/CVE-2017-9300).

As of Thu Nov 23 13:36:19 EST 2017:

This is very interesting. Debian claims that this vulnerability was fixed in VLC
2.2.7; however, according to the VLC website (http://www.videolan.org/) version
2.2.7 doesn't exist; the newest version is 2.2.6. To make things weirder though,
their download server (http://get.videolan.org/vlc/) does appear to have not
only a version 2.2.7, but also a version 2.2.8, both of which were uploaded on
November 21, 2017. It is unclear to me whether these are future releases that
fix this vulnerability and just haven't been announced yet or development
versions that are not stable and therefore not ready for production use. Their
sucurity tracker post about CVE-2017-10699 [CLD-141]
(https://trac.videolan.org/vlc/ticket/18467) seems to hint at the latter, so we
will wait for more information before we upgrade.