CLD-141 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
vlc |
Deficiency Type |
SECURITY |
Date Created |
2017-11-21 20:34:41 |
Date Last Modified |
2017-12-05 22:25:30 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in vlc-2.2.8-i686-1 |
Cucumber 1.0 x86_64 | fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1 |
Cucumber 1.1 i686 |
fixed in vlc-2.2.8-i686-1 |
Cucumber 1.1 x86_64 |
fixed in vlc-2.2.8-x86_64-1 and vlc-lib_i686-2.2.8-lib_i686-1 |
Details:
avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29,
allows out-of-bounds heap memory write due to calling memcpy() with a wrong
size, leading to a denial of service (application crash) or possibly code
execution (https://nvd.nist.gov/vuln/detail/CVE-2017-10699).
As of Thu Nov 23 13:36:19 EST 2017:
This is very interesting. The NVD and Debian both claim that this vulnerability
was fixed in VLC 2.2.7; however, according to the VLC website
(http://www.videolan.org/) version 2.2.7 doesn't exist; the newest version is
2.2.6. To make things weirder though, their download server
(http://get.videolan.org/vlc/) does appear to have not only a version 2.2.7, but
also a version 2.2.8, both of which were uploaded on November 21, 2017. It is
unclear to me whether these are future releases that fix this vulnerability and
just haven't been announced yet or development versions that are not stable and
therefore not ready for production use. Their sucurity tracker post about this
vulnerability (https://trac.videolan.org/vlc/ticket/18467) seems to hint at the
latter, so we will wait for more information before we upgrade.