This bug was fixed in the package vlc - 2.0.3-0ubuntu0.12.04.1
---
vlc (2.0.3-0ubuntu0.12.04.1) precise-security; urgency=low
* New bug-fixing upstream release (LP: #1025713).
* SECURITY UPDATE: Heap-based buffer overflow in the Ogg_DecodePacket function
in the OGG demuxer
I am using vlc 2.0.3-0ubuntu0.12.04.1 since nearly a week without
noticing any regressions. No OMG Ubuntu! reader testing VLC [1] did
report a regression.
[1] http://www.omgubuntu.co.uk/2012/07/latest-stable-vlc-heading-to-
ubuntu-12-04-help-test-it-now
** Tags removed: verification-needed
**
When 2.0.1 wasn't installed and upgraded by 2.0.3 then the installation
of 2.0.3 contents more packages and the version is displayed correctly.
~$ sudo apt-get install vlc/precise-proposed
The following NEW packages will be installed:
libcddb2 libcrystalhd3 libdvbpsi7 libebml3 libiso9660-8
Installed from proposed. The terminal states the previous version in contrary
to the About dialog (screenshot).
## bug 998729 is still present.
I've attempt to open playlist - My Computer - My Music and double click on a
folder which contents a few .mp3 and .ogg files.
Result nothing happens.
Have you updated all vlc binary packages (like libvlc, vlc-data, and so
on)? vlc --version should say VLC-Version 2.0.3 Twoflower
(2.0.2-93-g77aa89e). Did this issue happened in the previous vlc version
too or not (i.g. is it a regression)?
--
You received this bug notification because you are a
Playing an encrypted DVD without decryption library is not possible.
This is not a regression.
And bug 998729 is not supposed to be fixed by 2.0.3 update anyway.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Benjamin, yes all packages were installed and the DVD issue is also with 2.0.1.
Rémi, I didn't attempt to play any DVD neither en- nor decrypted.
So far the playlist is unusable since 12.04 and was fine in 11.10.
It also doesn't open per media dialog, neither file nor directory.
(Although 2.0.3
Please run sudo apt-get install libvlc5/precise-proposed and then
retry vlc --version.
Your DVD playback related issue is unrelated to this SRU then. Please
open a new bug report for it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Pocket copied vlc to proposed. Please test and give feedback here. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Thank you in advance!
** Tags removed: security-verification
** Tags added: verification-needed
** Changed in: vlc (Ubuntu
To ubuntu-sru: if this passes the verification process, please also
pocket copy to security. Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1025713
Title:
SRU request for VLC 2.0.2/2.0.3
To
** Branch linked: lp:ubuntu/precise-proposed/vlc
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1025713
Title:
SRU request for VLC 2.0.2/2.0.3
To manage notifications about this bug go to:
CVE-2012-2396 is a security bug in taglib (that is fixed in taglib
1.7.2-1), but not in the vlc source code.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1025713
Title:
SRU request for VLC
I tried the exploit for CVE-2012-0904 [1]. VLC 2.0.1-4 did not crash. It
failed to open the .amr file:
[0x7f6a70c01bc8] avformat demux error: Could not open : Operation not permitted
[0x7f6a70c01bc8] ps demux error: cannot peek
[0x7f6aab78] main input error: no suitable demux module for
Added to this PPA: https://launchpad.net/~bryce/+archive/backports
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1025713
Title:
SRU request for VLC 2.0.2/2.0.3
To manage notifications about this
bdrung, you mentioned this fixed nine ubuntu bugs; which bug #'s are
those? Might be worth including them in the changelog entry?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1025713
Title:
SRU
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0904
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1025713
Title:
SRU request for VLC 2.0.2/2.0.3
To manage notifications
Ok, I have updated the CVE tracker with the information on CVE-2012-0904
and CVE-2012-2396. I agree with Bryce on adding the bug references to
the changelog. Once that is done, please resubscribe ubuntu-security-
sponsors and we'll build this in ubuntu-security-proposed (and if
ubuntu-sru
Benjamin pointed out that using the appropriate -v will gives all the
bugs. I am preparing the upload to ubuntu-security-proposed now.
** Changed in: vlc (Ubuntu Precise)
Assignee: Benjamin Drung (bdrung) = Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a
Reviewing the changelog, this looks like all bug fixes on Linux. ACK.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1025713
Title:
SRU request for VLC 2.0.2/2.0.3
To manage notifications about
This has now been uploaded to https://launchpad.net/~ubuntu-security-
proposed/+archive/ppa/+packages
** This bug has been flagged as a security vulnerability
** Tags added: security-verification
** Changed in: vlc (Ubuntu Precise)
Assignee: Jamie Strandboge (jdstrand) = (unassigned)
--
I synced vlc 2.0.3-1 from Debian unstable to quantal.
VLC 2.0.2 closes nine Launchpad bugs. I intend to request a MRE for VLC,
but currently didn't find the time to do it. The test suite for VLC is
small and currently not run when building the package. The test suite
succeeds on a local build,
Here's a debdiff against the quantal package for SRUing VLC to precise-
security-proposed.
** Patch added: vlc_2.0.3-0ubuntu0.12.04.1.debdiff
https://bugs.launchpad.net/ubuntu/quantal/+source/vlc/+bug/1025713/+attachment/3233494/+files/vlc_2.0.3-0ubuntu0.12.04.1.debdiff
--
You received this
CVE-2012-0904, CVE-2012-2396 and CVE-2012-3377 are listed as affecting
precise, but the debdiff only mentions CVE-2012-3377. Can you comment on
the other two?
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0904
** CVE added: http://www.cve.mitre.org/cgi-
23 matches
Mail list logo
