Mageia alert MGASA-2013-0241 (vlc) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2013-0241: Updated vlc package fixes security vulnerability. 
Date:
    	       Fri, 9 Aug 2013 19:34:08 +0200
Message-ID:
    	       <20130809173409.183BC44397@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2013-0241 - Updated vlc package fixes security vulnerability.

Publication date: 09 Aug 2013
URL: http://advisories.mageia.org/MGASA-2013-0241.html
Type: security
Affected Mageia releases: 2, 3
CVE: CVE-2013-3565

Description:
2.0.8
Demux:
* sgimb: use after free
 (fixes #8724 https://trac.videolan.org/vlc/ticket/8724 )
* Improve resistance and checking against malformed MKV files
  (Check element size before reading it. This should avoid integer
  overflows inside the libebml causing heap buffer overflow.
  Since new called by the lib is limited to SIZE_MAX bytes.)
           
   Access:
   * qtsound: fix crash when freeing memory
           
2.0.7
Input:
* Fix memory exhaustion vulnerability when playing specifically crafted
  playlist files.
  (stream_ReadLine: correctly return an error on overflow
  fixes #7361 https://trac.videolan.org/vlc/ticket/7361 )
                  
HTTP Interface:
* lua http: Fix two xss vulnerabilities (CVE-2013-3565)

References:
- https://bugs.mageia.org/show_bug.cgi?id=10902
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3565

SRPMS:
- 3/core/vlc-2.0.8-2.mga3
- 3/tainted/vlc-2.0.8-2.mga3.tainted
- 2/core/vlc-2.0.8-0.2.mga2
- 2/tainted/vlc-2.0.8-0.2.mga2.tainted
(Log in to post comments)