Multiple vulnerabilites in vlc prior to 0.8.6e

Confirmed all versions dapper-hardy affected.

greets

Have the CVEs listed here been patched in the latest release?

Yes, as you can see in the release notes.

Can we then have the fixes in Ubuntu? By latest release, I was referring to Ubuntu releases but I did not make that clear.

Adding new CVE references since new security holes have been discovered on vlc 0.8.6d and previous (vlc 0.8.6e is 75% fixed on these new security holes)

The diff in 0.8.6e is insane. I doubt it's going to happen for Hardy, but the security fixes should.

The diff for 0.8.6e isn't as insane as I thought; an FFe is currently pending.

William, if you're doing this, please consider reviewing packaging changes from the Debian since last merge. They've made some very nice cleanups and build process looks more sane again. I think we could even build against our own libfaad-dev as it's in the universe now. Thanks in advance for the much awaited FFe.

Matti Lindell wrote:
> William, if you're doing this, please consider reviewing packaging
> changes from the Debian since last merge. They've made some very nice
> cleanups and build process looks more sane again. I think we could even
> build against our own libfaad-dev as it's in the universe now. Thanks in
> advance for the much awaited FFe.

I'd prefer not to do that less than a month before release. Merging with
Debian would be very good, and I'll probably look at it for Intrepid.

--
William Grant

CVE-2008-1489 has also appeared, and is tracked in bug #207284.

This bug was fixed in the package vlc - 0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu1

---------------
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu1) hardy; urgency=low

  [ Mario Limonciello ]
  * New upstream version. (LP: #206918)
    - New versioning scheme to bring attention to the fact that
      faad and x264 are in the .orig.tar.gz.
    - Fixes 6 CVEs (LP: #196452)
      + CVE: 2007-6681
      + CVE: 2007-6682
      + CVE: 2007-6683
      + CVE: 2008-0295
      + CVE: 2008-0296
  * Drop 021_CVE-2008-0984 as it's included upstream.
  * debian/rules:
    - Adjust items touched for faad2 when building.
    - Apply all faad2 patches when building
  * debian/control:
    - Add dpatch, libfaad-dev, and autotools-dev to build-depends to allow
      faad2 to build again.
    - Add automake, cvs, and libtool to build depends (now needed for building VLC)

  [ Martin Hamrle ]
   * Add new package with pulse output plugin (LP: #196417)
     - debian/patches/030_pulse.diff:
       + patch from upstream trunk to support pulseaudio output
     - debian/rules:
       + enable pulseaudio
     - debian/control:
       + add dependencies to libpulse-dev
       + new package description
     - Creates a NEW binary package, requiring FFe (LP: #204050)

 -- Mario Limonciello <email address hidden> Tue, 25 Mar 2008 20:08:07 -0500

According to further upstream changelogs, 0.8.6e apparently didn't really fix CVE-2007-668[13]. Upstream is so reliable.

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.