Ubuntu
vlc package

memory corruption, code execution (CVE-2011-0531)

Bug #714089 reported by gialdo on 2011-02-06

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	vlc (Ubuntu)	Fix Released	Undecided	Unassigned
	Lucid	Fix Released	Undecided	Unassigned
	Maverick	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: vlc

The package "vlc" in the currently supported stable versions of Ubuntu is vulnerable:
http://www.videolan.org/security/sa1102.html
It's been fixed upstream on February 1 in version 1.1.7

Also the CVE isn't tracked here:
http://people.canonical.com/~ubuntu-security/cve/pkg/vlc.html

Related branches

lp:ubuntu/lucid-security/vlc

lp:ubuntu/maverick-security/vlc

CVE References

2011-0531

gialdo (gial-do-deactivatedaccount-deactivatedaccount) on 2011-02-06

visibility:

private → public

Benjamin Drung (bdrung) on 2011-02-06

Changed in vlc (Ubuntu):
status:	New → Fix Released

Revision history for this message

Benjamin Drung (bdrung) wrote on 2011-02-10:

#1

vlc_1.1.4-1ubuntu1.4.debdiff Edit (2.0 KiB, text/plain)

Attached the patches for maverick-security and lucid-security.

Revision history for this message

Benjamin Drung (bdrung) wrote on 2011-02-10:

#2

vlc_1.0.6-1ubuntu1.5.debdiff Edit (1.5 KiB, text/plain)

Revision history for this message

gialdo (gial-do-deactivatedaccount-deactivatedaccount) wrote on 2011-02-15:

#3

Don't know if that's helpful but:
Fixed in debian squeeze for 1.1.3
http://www.debian.org/security/2011/dsa-2159

Sorry to ask, what's holding this one back?

Jamie Strandboge (jdstrand) on 2011-02-15

Changed in vlc (Ubuntu Lucid):
status:	New → In Progress
Changed in vlc (Ubuntu Maverick):
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-02-15:

#4

ACK to both lucid and maverick.

Changed in vlc (Ubuntu Lucid):
status:	In Progress → Confirmed
Changed in vlc (Ubuntu Maverick):
status:	In Progress → Confirmed
Changed in vlc (Ubuntu Lucid):
status:	Confirmed → Fix Committed
Changed in vlc (Ubuntu Maverick):
status:	Confirmed → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-02-15:

#5

Thanks for the debdiffs! I have uploaded these to the security PPA and will publish them to the archive when they finish building.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-02-15:

#6

This bug was fixed in the package vlc - 1.1.4-1ubuntu1.4

---------------
vlc (1.1.4-1ubuntu1.4) maverick-security; urgency=low

  * SECURITY UPDATE: memory corruption, code execution (LP: #714089)
    - debian/patches/mkv-input-validation.diff: Fix MKV improper input
      validation, thanks to Steve Lhomme
    - CVE-2011-0531
    - VideoLAN-SA-1102
-- Benjamin Drung <email address hidden> Wed, 09 Feb 2011 23:52:19 +0100

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-02-15:

#7

This bug was fixed in the package vlc - 1.0.6-1ubuntu1.5

---------------
vlc (1.0.6-1ubuntu1.5) lucid-security; urgency=low

  * SECURITY UPDATE: memory corruption, code execution (LP: #714089)
    - debian/patches/mkv-input-validation.diff: Fix MKV improper input
      validation, thanks to Steve Lhomme
    - CVE-2011-0531
    - VideoLAN-SA-1102
-- Benjamin Drung <email address hidden> Thu, 10 Feb 2011 00:00:19 +0100

Changed in vlc (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in vlc (Ubuntu Maverick):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.