Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 15 Dec 2017 20:12:04 +0000
From: Hans Jerry Illikainen <>
Cc: "" <>,
	"" <>
Subject: Re: CVE-2017-17670: vlc: type conversion vulnerability

On Fri, Dec 15, 2017 at 05:28:45AM -0500, Stiepan wrote:
> Nice job! By the way, when is back-porting of the fix to the current
> stable version(s) envisioned? (I doubt most oss OS distributions use
> the "HEAD of the VLC master branch", nor that most Windows or Mac
> users use the latest bleeding-edge build, leaving a potentially large
> window for exploitation if former versions don't get fixed; knowing
> VLC's popularity, I think that the question should be seriously
> considered)
> And is there a standalone patch or workaround that could be used for
> older versions (besides not opening mp4 videos anymore)?

The MP4 module has undergone some major changes and unfortunately the
VLC project probably won't backport a fix to 2.2.x.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ