openSUSE has issued an advisory on September 29: https://lists.opensuse.org/opensuse-updates/2017-09/msg00115.html The issue was fixed upstream shortly after 2.2.6 in this commit: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3
VLC 2.2.8 is available, which includes multiple security fixes: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=blob;f=NEWS;h=d9b31b4e5362c7d764f3e6b23b78aaeb0b8bf868;hb=3cc1d8cba982fc988c2a421e42408bb05d1ba37f The updated NEWS file also references the commit from Comment 0 but without a CVE, and says that CVE-2017-9300 was fixed in an earlier commit before 2.2.5.1. It does list CVE-2017-10699 as a new security issue fixed by 2.2.8 though. We should update to it, and include the two commits after 2.2.8 was tagged: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=shortlog
Summary: vlc new security issue CVE-2017-9300 => vlc new security issue CVE-2017-10699
Debian has issued an advisory for this on November 21: https://www.debian.org/security/2017/dsa-4045
Updated package uploaded for Mageia 5 by Shlomi. Thanks Shlomi! Advisory: ======================== avcodec 2.2.x, as used in VideoLAN VLC media player before 2.2.7, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution (CVE-2017-10699). The VLC packages have been updated to version 2.2.8, which includes various security improvements in decoders and demuxers, as well as other bug fixes. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10699 https://git.videolan.org/?p=vlc/vlc-2.2.git;a=blob;f=NEWS;h=d9b31b4e5362c7d764f3e6b23b78aaeb0b8bf868;hb=3cc1d8cba982fc988c2a421e42408bb05d1ba37f https://www.debian.org/security/2017/dsa-4045 ======================== Updated packages in {core,tainted}/updates_testing: ======================== vlc-2.2.8-1.0.mga5 libvlc5-2.2.8-1.0.mga5 libvlccore8-2.2.8-1.0.mga5 libvlc-devel-2.2.8-1.0.mga5 vlc-plugin-common-2.2.8-1.0.mga5 vlc-plugin-zvbi-2.2.8-1.0.mga5 vlc-plugin-kate-2.2.8-1.0.mga5 vlc-plugin-libass-2.2.8-1.0.mga5 vlc-plugin-lua-2.2.8-1.0.mga5 vlc-plugin-ncurses-2.2.8-1.0.mga5 vlc-plugin-lirc-2.2.8-1.0.mga5 svlc-2.2.8-1.0.mga5 vlc-plugin-aa-2.2.8-1.0.mga5 vlc-plugin-sdl-2.2.8-1.0.mga5 vlc-plugin-shout-2.2.8-1.0.mga5 vlc-plugin-opengl-2.2.8-1.0.mga5 vlc-plugin-vdpau-2.2.8-1.0.mga5 vlc-plugin-projectm-2.2.8-1.0.mga5 vlc-plugin-theora-2.2.8-1.0.mga5 vlc-plugin-twolame-2.2.8-1.0.mga5 vlc-plugin-fluidsynth-2.2.8-1.0.mga5 vlc-plugin-gme-2.2.8-1.0.mga5 vlc-plugin-schroedinger-2.2.8-1.0.mga5 vlc-plugin-speex-2.2.8-1.0.mga5 vlc-plugin-flac-2.2.8-1.0.mga5 vlc-plugin-dv-2.2.8-1.0.mga5 vlc-plugin-mod-2.2.8-1.0.mga5 vlc-plugin-mpc-2.2.8-1.0.mga5 vlc-plugin-sid-2.2.8-1.0.mga5 vlc-plugin-pulse-2.2.8-1.0.mga5 vlc-plugin-jack-2.2.8-1.0.mga5 vlc-plugin-bonjour-2.2.8-1.0.mga5 vlc-plugin-upnp-2.2.8-1.0.mga5 vlc-plugin-gnutls-2.2.8-1.0.mga5 vlc-plugin-libnotify-2.2.8-1.0.mga5 vlc-plugin-chromaprint-2.2.8-1.0.mga5 from vlc-2.2.8-1.0.mga5.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Mageia 5 on x86_64 real hardware. Installed all the packages before enabling updates testing. Updated them all and tested vlc with a variety of media with a favourite theme enabled (tests svlc to some extent). No problems or regressions anywhere. Watched live HD and SD TV. Used playlist and next button to hop channels. Audio and subtitles working fine. Played pure audio files from disk - mp3, flac, ogg, wav. Loaded m3u format playlist and selected tracks from that. info button works, file and device selection, volume adjustment, menu and preferences. Played video files in formats: mp4, mkv, flv, webm, avi, mov and gif (no soundtracks) Where they were integrated subtitles could be invoked from the right-click on titlebar menu. No srt files lying around just now so independent audio tracks cannot be tested. Switching between fullscreen and native size works fine. ShockwaveFlash did not work with vlc. Next button can be used to skip to the next selection during play. The previous button either restarts or goes back depending where you are. Commercial audio CDs play fine as do commercial DVDs. There is limited interaction with the on-screen menus. Subtitles for instance have to be invoked from the vlc menu. All videos can be paused, speeded up or slowed down. This is all good so far for 64 bits. Enabled tainted updates and updated everything and ran all the previous tests again. Added a network test - viewed a Youtube scifi clip. Everything worked.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Thank you Len for your usual exhaustive testing. Validating, advisory uploaded.
CC: (none) => lewyssmith, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0424.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
bug 22095 added to get the tainted srpm pushed too.
CC: (none) => davidwhodgins