Ubuntu
vlc package

CVE-2008-5276 RealMedia Processing Integer Overflow Vulnerability

Bug #305958 reported by Sebastian Kemper on 2008-12-07

254

Affects		Status	Importance	Assigned to	Milestone
	vlc (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

http://www.trapkit.de/advisories/TKADV2008-013.txt

Affected Software: VLC media player < 0.9.8a
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor Status: Vendor has released an updated version

For Ibex there seems to be an updated .deb (https://bugs.launchpad.net/getdeb.net/+bug/304123) although I don't know what getdeb is. Anyway, older releases like Hardy are still vulnerable.

lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

CVE References

2008-5276

Kees Cook (kees) on 2009-01-23

Changed in vlc:
status:	New → Confirmed

Revision history for this message

Reinhard Tartler (siretart) wrote on 2009-06-20:

fixed since jaunty with merging from unstable:

vlc (0.9.8a-1) experimental; urgency=low

  * New upstream release
    + Fix integer overflow in Real demux (VideoLAN SA-2008-11, CVE-2008-5276)
  * Enable RealRTSP access module
  * Depends on libv4l-dev to add support of some webcam
  * Don't rebootstrap. The packages causing troubles previously have been fixed

-- Christophe Mutricy <email address hidden> Wed, 03 Dec 2008 20:20:52 +0100

Changed in vlc (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuvlc package