CLD-469 Details
Other IDs this deficiency may be known by:
Basic Information:
| Affected Package(s) |
vlc |
| Deficiency Type |
SECURITY |
| Date Created |
2018-07-11 17:27:10 |
| Date Last Modified |
2018-07-18 10:53:53 |
Version Specific Information:
| Cucumber 1.0 i686 | waiting for upstream to publish patch |
| Cucumber 1.0 x86_64 | waiting for upstream to publish patch |
| Cucumber 1.1 i686 |
waiting for upstream to publish patch |
| Cucumber 1.1 x86_64 |
waiting for upstream to publish patch |
Details:
Allows for arbitrary code execution if the user opens a malicious MKV file.
The VLC developers have fixed this in version 3.0.3 of VLC; however, they have
no intention of fixing it in VLC 2.2.x (the version used on Cucumber Linux
1.0/1.1). We can not upgrade to VLC 3.0.x due to ABI incompatibilities and
dependency changes. Additionally, the VLC developers have no idea what actions
are necessary to fix this vulnerability; they claim that they happened to fix
it in one of the many changes they made between VLC 2.2.8 and 3.0.0, but they
have no idea which commit fixed it.
This leaves us with no choice other than to essentially remain vulnerable to
this. Shame on the VLC developers. Perhaps it is time to start looking for a
new media player for Cucumber Linux 2.0.