Bug#461544: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server
retitle 461544 vlc: CVE-2008-029[5,6] multiple vulnerabilities in embedded xine copy thanks Hi Christophe, * Christophe Mutricy [EMAIL PROTECTED] [2008-01-21 11:41]: I contacted upstream for a patch of this. Hmmm, your mail hasn't reach us (or was mistakely deleted in moderation or I haven't look well enough) Strange, glad to see that you follow the bug tracker. Anayway, here's a patch: http://trac.videolan.org/vlc/changeset/24440 Thanks! [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296 Btw, there is also CVE-2008-0295 but i don't really see the difference between 295 and 296 as they refer to the same advisory of Luigi Auriemma Yes this was still on our TODO list :) CVE-2008-0295[0]: | Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in | the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and | earlier, allows user-assisted remote attackers to cause a denial of | service (crash) or execute arbitrary code via long Session Description | Protocol (SDP) data. Mitre usually splits different vulnerabilities to different CVE ids. Kind regards Nico [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0295 http://security-tracker.debian.net/tracker/CVE-2008-0295 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpzfWrJ1uoFk.pgp Description: PGP signature
Processed: Re: Bug#461544: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server
Processing commands for [EMAIL PROTECTED]: retitle 461544 vlc: CVE-2008-029[5,6] multiple vulnerabilities in embedded xine copy Bug#461544: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server Changed Bug title to `vlc: CVE-2008-029[5,6] multiple vulnerabilities in embedded xine copy' from `vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server'. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#461544: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server
I contacted upstream for a patch of this. Hmmm, your mail hasn't reach us (or was mistakely deleted in moderation or I haven't look well enough) Anayway, here's a patch: http://trac.videolan.org/vlc/changeset/24440 [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296 Btw, there is also CVE-2008-0295 but i don't really see the difference between 295 and 296 as they refer to the same advisory of Luigi Auriemma -- Xtophe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#461544: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server
Package: vlc Version: 0.8.6-svn20061012.debian-5etch1 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for vlc. CVE-2008-0296[0]: | Heap-based buffer overflow in the libaccess_realrtsp plugin in | VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow | remote RTSP servers to cause a denial of service (application crash) | or execute arbitrary code via a long string. If you fix this vulnerability please also include the CVE id in your changelog entry. I contacted upstream for a patch of this. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpaooN0bhWQc.pgp Description: PGP signature