Bug 47294 - vlc: Multiple issues (4.3)
vlc: Multiple issues (4.3)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Quality Assurance
Philipp Hahn
: 47297 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2018-07-03 14:13 CEST by Philipp Hahn
Modified: 2018-07-04 14:54 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 0.0 ()


Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-07-03 14:13:41 CEST
New Debian vlc 3.0.2-0+deb9u1 fixes:
This update addresses the following issue(s):

This update addresses the following issue(s):
* In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation. (CVE-2017-17670)

3.0.2-0+deb9u1 (Thu, 03 May 2018 20:55:01 +0200)
  * New upstream release following the LTS release branch.
    - Install vlc_interface.h.
    - Fix stuttering with ALSA output.
    - Fix CRC errors in some FLAC files.
    - Add support for Wayland.
    - Better support for HLS.
    - Update VLSub.
    - Fix issues with green borders.
  * Remove embedded copy of ffmpeg.
  * debian/: Adapt to vlc 3.0 packaging:
    - Drop ffmpeg build dependencies.
    - Remove unused build dependencies: libcdio-dev, libdirectfb-dev,
    - Add new build dependencies: bison, flex, libarchive-dev,
      libharfbuzz-dev, libmicrodns-dev, libmpg123-dev, libnfs-dev,
      libprotobuf-dev, libqt5svg5-dev, libsecret-1-dev, libsoxr-dev,
      libsystemd-dev, protobuf-compiler, wayland-protocols.
    - Drop vlc-plugin-sdl.
    - Turn vlc-plugin-zvbi into a transitional package.
    - Update Breaks+Replaces versions.
    - Remove patches integrated upstream.
    - Update copyright information.
    - Add new symbols.
    - Enable all hardening options.
    - Update configure flags for 3.0.
    - Update install files for new and removed plugins.
Comment 1 Philipp Hahn univentionstaff 2018-07-03 14:25:39 CEST
*** Bug 47297 has been marked as a duplicate of this bug. ***
Comment 2 Philipp Hahn univentionstaff 2018-07-03 21:52:22 CEST
[4.3-1] 03f15a1f59 Bug #47294: vlc 3.0.2-0+deb9u1
 doc/errata/staging/phonon-backend-vlc.yaml | 10 ++++++++++
 doc/errata/staging/vlc.yaml                | 15 +++++++++++++++
 2 files changed, 25 insertions(+)


[4.3-1] 4b8816b2d0 Bug #47294: vlc 3.0.2-0+deb9u1
 doc/errata/staging/libmicrodns.yaml | 12 ++++++++++++
 doc/errata/staging/libnfs.yaml      | 12 ++++++++++++
 2 files changed, 24 insertions(+)