New 0.9.5 release, security fixes

We will handle this in -updates / -security.

Just as a FYI regarding the Tivo demux overflow:
[jdong@blackbook:/tmp]$ vlc exploit.mpg (10-28 12:35)
VLC media player 0.9.4 Grishenko
[00000001] main libvlc debug: VLC media player - version 0.9.4 Grishenko - (c) 1996-2008 the VideoLAN team
[00000001] main libvlc debug: libvlc was configured with ./configure '--build=i486-linux-gnu' '--enable-maintaner-mode' '--enable-release' '--prefix=/usr' '--enable-libtool' '--enable-fast-install' '--with-binary-version=1ubuntu3' '--disable-update-check' '--disable-gnome' '--disable-gtk' '--disable-familiar' '--disable-fb' '--enable-ggi' '--enable-sdl' '--enable-esd' '--enable-mad' '--enable-arts' '--enable-jack' '--enable-pulse' '--enable-lirc' '--enable-a52' '--enable-aa' '--enable-dvbpsi' '--enable-mozilla' '--with-mozilla-pkg=libxul-plugin' '--disable-kde' '--enable-mp4' '--enable-dvb' '--disable-satellite' '--enable-ogg' '--enable-vorbis' '--enable-shout' '--enable-qt4' '--disable-slp' '--enable-flac' '--disable-skins' '--disable-basic-skins' '--enable-skins2' '--enable-freetype' '--enable-mkv' '--enable-speex' '--enable-caca' '--enable-live555' '--enable-libmpeg2' '--enable-fribidi' '--enable-cdio' '--enable-mod' '--enable-theora' '--enable-modplug' '--enable-dvdnav' '--enable-gnutls' '--enable-ffmpeg' '--enable-ncurses' '--enable-smb' '--disable-gnomevfs' '--enable-bonjour' '--enable-mpc' '--enable-vcd' '--enable-vcdx' '--enable-notify' '--enable-twolame' '--enable-x264' '--enable-faad' '--disable-zvbi' '--enable-telx' '--enable-mediacontrol-bindings' '--disable-atmo' '--enable-taglib' '--enable-libass' '--enable-libdca' '--enable-alsa' '--enable-dv' '--enable-v4l' '--enable-v4l2' '--enable-pvr' '--enable-svgalib' '--enable-dvd' '--without-dvdcss' 'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2' 'LDFLAGS=-Wl,--as-needed' 'CPPFLAGS=' 'CXXFLAGS=-g -O2'
[00000001] main libvlc debug: translation test: code is "C"
[00000001] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[00000379] ty demux error: Unsupported SEQ bitmap size in master chunk
*** stack smashing detected ***: vlc terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7df4558]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7df4510]
/usr/lib/vlc/demux/libty_plugin.so[0xb43e9bc4]
/usr/lib/vlc/demux/libty_plugin.so[0xb43e56a6]
======= Memory map: ========
[...]

-fstack-protector nabs the attack, this is a DoS, not a arbitrary execution vulnerability, for Ubuntu.

This bug was fixed in the package vlc - 0.9.8a-1ubuntu1

---------------
vlc (0.9.8a-1ubuntu1) jaunty; urgency=low

  * merge from debian. LP: #300328, #305100, #289263
  * Fixes CVE-2008-5276
  * remaining changes
    - build against libxul-dev instead of iceape-dev
    - build against libdca-dev, libass-dev and libx264-dev
    - build against and install libx264 plugin
    - adjust Vcs-Bzr Headers in debian/control
    - add Xb-Npp header to vlc package
    - debian/patches/301_DVD_media.diff: Change %U to %f
       in VLC .desktop file, cf LP #275043

vlc (0.9.8a-1) experimental; urgency=low

  * New upstream release
    + Fix integer overflow in Real demux (VideoLAN SA-2008-11, CVE-2008-5276)
  * Enable RealRTSP access module
  * Depends on libv4l-dev to add support of some webcam
  * Don't rebootstrap. The packages causing troubles previously have been fixed

 -- Reinhard Tartler <email address hidden> Sun, 07 Dec 2008 23:12:27 +0100