Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Nov 2008 21:10:47 +0100
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com, coley@...re.org, rem@...eolan.org
Subject: Re: CVE id request: vlc

Hi,
* Steven M. Christey <coley@...us.mitre.org> [2008-11-10 19:09]:
> ======================================================
> Name: CVE-2008-5032
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032
> Reference: MLIST:[oss-security] 20081105 CVE id request: vlc
> Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5
> Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810
> Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4
> Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-011.txt
> Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-012.txt
> Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d
> Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef651125701a2e33a8d75b815b3e39681a447
> Reference: CONFIRM:http://www.videolan.org/security/sa0810.html
> 
> Multiple stack-based buffer overflows in VideoLAN VLC media player
> 0.5.0 through 0.9.5 allow user-assisted attackers to execute arbitrary
> code via (1) the header of an invalid CUE image file, related to
> modules/access/vcd/cdrom.c; or (2) an invalid RealText (rt) subtitle
> file, related to the ParseRealText function in
> modules/demux/subtitle.c.

Could you split that up into two CVE ids? I ask because the 
realtext issue doesn't affect versions < 0.9.x which is the 
case for the version we have in Debian so I can not use a 
fixed version + not-affected for one CVE id in our security 
tracker.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ