Date: Fri, 15 Dec 2017 20:12:04 +0000 From: Hans Jerry Illikainen <hji@...topia.com> To: oss-security@...ts.openwall.com Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: CVE-2017-17670: vlc: type conversion vulnerability On Fri, Dec 15, 2017 at 05:28:45AM -0500, Stiepan wrote: > Nice job! By the way, when is back-porting of the fix to the current > stable version(s) envisioned? (I doubt most oss OS distributions use > the "HEAD of the VLC master branch", nor that most Windows or Mac > users use the latest bleeding-edge build, leaving a potentially large > window for exploitation if former versions don't get fixed; knowing > VLC's popularity, I think that the question should be seriously > considered) > And is there a standalone patch or workaround that could be used for > older versions (besides not opening mp4 videos anymore)? The MP4 module has undergone some major changes and unfortunately the VLC project probably won't backport a fix to 2.2.x. -- hji
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ