CLD-141 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-10699 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) vlc
Deficiency Type SECURITY
Date Created 2017-11-21 20:34:41
Date Last Modified 2017-12-05 22:25:30

Version Specific Information:

Cucumber 1.0 i686fixed in vlc-2.2.8-i686-1
Cucumber 1.0 x86_64fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1

Cucumber 1.1 i686 fixed in vlc-2.2.8-i686-1
Cucumber 1.1 x86_64 fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1

Details:

avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29,
allows out-of-bounds heap memory write due to calling memcpy() with a wrong
size, leading to a denial of service (application crash) or possibly code
execution (https://nvd.nist.gov/vuln/detail/CVE-2017-10699).

As of Thu Nov 23 13:36:19 EST 2017:

This is very interesting. The NVD and Debian both claim that this vulnerability
was fixed in VLC 2.2.7; however, according to the VLC website
(http://www.videolan.org/) version 2.2.7 doesn't exist; the newest version is
2.2.6. To make things weirder though, their download server
(http://get.videolan.org/vlc/) does appear to have not only a version 2.2.7, but
also a version 2.2.8, both of which were uploaded on November 21, 2017. It is
unclear to me whether these are future releases that fix this vulnerability and
just haven't been announced yet or development versions that are not stable and
therefore not ready for production use. Their sucurity tracker post about this
vulnerability (https://trac.videolan.org/vlc/ticket/18467) seems to hint at the
latter, so we will wait for more information before we upgrade.