Univention Bugzilla – Bug 50040
vlc: Multiple issues (4.4)
Last modified: 2019-08-22 15:30:18 CEST
New Debian vlc 3.0.8-0+deb9u1 fixes: This update addresses the following issues: * An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file. (CVE-2019-13602) * lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height. (CVE-2019-13962) * vlc (CVE-2019-14437) * vlc (CVE-2019-14438) * vlc (CVE-2019-14498) * vlc (CVE-2019-14533) * vlc (CVE-2019-14534) * vlc (CVE-2019-14535) * vlc (CVE-2019-14776) * vlc (CVE-2019-14777) * vlc (CVE-2019-14778) * vlc (CVE-2019-14970)
--- mirror/ftp/4.4/unmaintained/4.4-1/source/vlc_3.0.7-0+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-1/source/vlc_3.0.8-0+deb9u1.dsc @@ -1,3 +1,24 @@ +3.0.8-0+deb9u1 [Tue, 20 Aug 2019 20:58:05 +0200] Sebastian Ramacher <sramacher@debian.org>: + + * New upstream release. + - Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) + - Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) + - Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, + CVE-2019-14438) + - Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) + - Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) + - Fix a use after free in the ASF demuxer (CVE-2019-14533) + - Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) + (Closes: #932131) + - Fix a null dereference in the ASF demuxer (CVE-2019-14534) + - Fix a division by zero in the CAF demuxer (CVE-2019-14498) + - Fix a division by zero in the ASF demuxer (CVE-2019-14535) + - Fix a division by zero when playing DVDs. (Closes: #929491, #923017, + #932182) + * debian/patches: + - Revert modplug version bump. We use the libopenmpt compat layer anyway. + - Revert libebml version bump. libebml has been fixed separately. + 3.0.7-0+deb9u1 [Sun, 09 Jun 2019 22:00:27 +0200] Sebastian Ramacher <sramacher@debian.org>: * New upstream bug fix release. (Closes: #930276) <http://10.200.17.11/4.4-1/#2040207209071336722>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-1] 5ca0e127d7 Bug #50040: vlc 3.0.8-0+deb9u1 doc/errata/staging/vlc.yaml | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) [4.4-1] 4762049d59 Bug #50040: vlc 3.0.8-0+deb9u1 doc/errata/staging/vlc.yaml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+)
<http://errata.software-univention.de/ucs/4.4/236.html>