Debian has issued an advisory for this today:
https://lists.debian.org/debian-security-announce/2015/msg00241.html
https://www.debian.org/security/2015/dsa-3342

URL: (none) => http://lwn.net/Vulnerabilities/655117/

Upstream patch can't be use for vlc-2.1.6 (mga4).

CC: (none) => yann.cantin

PoC: http://openwall.com/lists/oss-security/2015/08/20/8

Upstream patch fix the issue, tested with the poc in mga5 x86_64.

Update ready in the svn for mga5 and Cauldron.

Updated packages for mga5 and Cauldron. No fix for mga4 yet.

Advisory:
========================

Updated vlc packages fix security vulnerability (CVE-2015-5949) :

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a
multimedia player and streamer, could dereference an arbitrary pointer
due to insufficient restrictions on a writable buffer. This could allow
remote attackers to execute arbitrary code via crafted 3GP files.

References:
http://www.ocert.org/advisories/ocert-2015-009.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5949
https://lists.debian.org/debian-security-announce/2015/msg00241.html

PoC : http://openwall.com/lists/oss-security/2015/08/20/8

========================

Updated packages in core/updates_testing and tainted/updates_testing
========================
vlc-2.2.1-1.1.mga5
lib64vlc5-2.2.1-1.1.mga5
lib64vlccore8-2.2.1-1.1.mga5
lib64vlc-devel-2.2.1-1.1.mga5
vlc-plugin-common-2.2.1-1.1.mga5
vlc-plugin-zvbi-2.2.1-1.1.mga5
vlc-plugin-kate-2.2.1-1.1.mga5
vlc-plugin-libass-2.2.1-1.1.mga5
vlc-plugin-lua-2.2.1-1.1.mga5
vlc-plugin-ncurses-2.2.1-1.1.mga5
vlc-plugin-lirc-2.2.1-1.1.mga5
svlc-2.2.1-1.1.mga5
vlc-plugin-aa-2.2.1-1.1.mga5
vlc-plugin-sdl-2.2.1-1.1.mga5
vlc-plugin-shout-2.2.1-1.1.mga5
vlc-plugin-opengl-2.2.1-1.1.mga5
vlc-plugin-vdpau-2.2.1-1.1.mga5
vlc-plugin-projectm-2.2.1-1.1.mga5
vlc-plugin-theora-2.2.1-1.1.mga5
vlc-plugin-twolame-2.2.1-1.1.mga5
vlc-plugin-fluidsynth-2.2.1-1.1.mga5
vlc-plugin-gme-2.2.1-1.1.mga5
vlc-plugin-schroedinger-2.2.1-1.1.mga5
vlc-plugin-speex-2.2.1-1.1.mga5
vlc-plugin-flac-2.2.1-1.1.mga5
vlc-plugin-dv-2.2.1-1.1.mga5
vlc-plugin-mod-2.2.1-1.1.mga5
vlc-plugin-mpc-2.2.1-1.1.mga5
vlc-plugin-sid-2.2.1-1.1.mga5
vlc-plugin-pulse-2.2.1-1.1.mga5
vlc-plugin-jack-2.2.1-1.1.mga5
vlc-plugin-bonjour-2.2.1-1.1.mga5
vlc-plugin-upnp-2.2.1-1.1.mga5
vlc-plugin-gnutls-2.2.1-1.1.mga5
vlc-plugin-libnotify-2.2.1-1.1.mga5
vlc-plugin-chromaprint-2.2.1-1.1.mga5
vlc-debuginfo-2.2.1-1.1.mga5

vlc-2.2.1-1.1.mga5.tainted
lib64vlc5-2.2.1-1.1.mga5.tainted
lib64vlccore8-2.2.1-1.1.mga5.tainted
lib64vlc-devel-2.2.1-1.1.mga5.tainted
vlc-plugin-common-2.2.1-1.1.mga5.tainted
vlc-plugin-zvbi-2.2.1-1.1.mga5.tainted
vlc-plugin-kate-2.2.1-1.1.mga5.tainted
vlc-plugin-libass-2.2.1-1.1.mga5.tainted
vlc-plugin-lua-2.2.1-1.1.mga5.tainted
vlc-plugin-ncurses-2.2.1-1.1.mga5.tainted
vlc-plugin-lirc-2.2.1-1.1.mga5.tainted
svlc-2.2.1-1.1.mga5.tainted
vlc-plugin-aa-2.2.1-1.1.mga5.tainted
vlc-plugin-sdl-2.2.1-1.1.mga5.tainted
vlc-plugin-shout-2.2.1-1.1.mga5.tainted
vlc-plugin-opengl-2.2.1-1.1.mga5.tainted
vlc-plugin-vdpau-2.2.1-1.1.mga5.tainted
vlc-plugin-projectm-2.2.1-1.1.mga5.tainted
vlc-plugin-theora-2.2.1-1.1.mga5.tainted
vlc-plugin-twolame-2.2.1-1.1.mga5.tainted
vlc-plugin-fluidsynth-2.2.1-1.1.mga5.tainted
vlc-plugin-gme-2.2.1-1.1.mga5.tainted
vlc-plugin-schroedinger-2.2.1-1.1.mga5.tainted
vlc-plugin-speex-2.2.1-1.1.mga5.tainted
vlc-plugin-flac-2.2.1-1.1.mga5.tainted
vlc-plugin-dv-2.2.1-1.1.mga5.tainted
vlc-plugin-mod-2.2.1-1.1.mga5.tainted
vlc-plugin-mpc-2.2.1-1.1.mga5.tainted
vlc-plugin-sid-2.2.1-1.1.mga5.tainted
vlc-plugin-pulse-2.2.1-1.1.mga5.tainted
vlc-plugin-jack-2.2.1-1.1.mga5.tainted
vlc-plugin-bonjour-2.2.1-1.1.mga5.tainted
vlc-plugin-upnp-2.2.1-1.1.mga5.tainted
vlc-plugin-gnutls-2.2.1-1.1.mga5.tainted
vlc-plugin-libnotify-2.2.1-1.1.mga5.tainted
vlc-plugin-chromaprint-2.2.1-1.1.mga5.tainted
vlc-debuginfo-2.2.1-1.1.mga5.tainted

from SRPMS:
vlc-2.2.1-1.1.mga5.src.rpm
vlc-2.2.1-1.1.mga5.tainted.src.rpm

Assignee: shlomif => qa-bugs

Thanks, everything looks pretty good, other than the (CVE) should be at the end of the paragraph rather than the title in the advisory.  Thanks for this.  Mageia 4 should be fixed as well; the patch applies cleanly there too.  Assigning this back to Yann until Mageia 4's update is available.

CC: (none) => qa-bugs
Version: Cauldron => 5
Assignee: qa-bugs => yann.cantin
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Assigning this back to QA since the cloned Mageia 4 bug is now filed.

CC: qa-bugs => (none)
Assignee: yann.cantin => qa-bugs
Whiteboard: MGA4TOO => (none)

I've installed.

Tested Movie, flac and MP3 player.  All seems to be working properly.

CC: (none) => brtians1
Whiteboard: (none) => MGA5-64-OK

Installed on 32-bit VBox VM.   Audio seems to be working correctly.

All items installed as expected.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

I think that this bug should depend on bug 16631 (the mga4 bug) which should block this one.

Can I just change these?

This update could then be validated and the dependency would prevent it from being released until 16631 is validated.

Ignore comment #10 - I got it the wrong way round.

Why should there be a dependency between the two bugs? IMO it's only required if the Mageia 4 updated version is higher than the Mageia 5 release version, but that's not the case as far as I know.

There is (a priori) no reason to make sure that both updates are pushed at the same time.

Validated update

The advisory is in comment #5

A QA committer needs to upload the advisory to SVN

The packages can then be pushed to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

(In reply to Rémi Verschelde from comment #12)
That's why I got confused. I had trouble identifying the purpose of the block.

I've removed the block.

Blocks: 16631 => (none)

Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0324.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED