group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1693893] Re: Possible remote code execution related to subtitles

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Fri, 07 Jul 2017 11:18:23 -0000
Reply-to: Bug 1693893 <1693893@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: vlc (Ubuntu Artful)
   Importance: Undecided
     Assignee: Simon Quigley (tsimonq2)
       Status: In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1693893

Title:
  Possible remote code execution related to subtitles

Status in vlc package in Ubuntu:
  In Progress
Status in vlc source package in Xenial:
  In Progress
Status in vlc source package in Zesty:
  In Progress
Status in vlc source package in Artful:
  In Progress

Bug description:
  VLC 2.2.5.1 fixes buffer overflow and out of bound read bugs related to subtitle decoding. A company called "Check Point" appears to have reported them, but they did not release any details. [1]
  At least the following 5 commits relate to these bugs: [2]

  Presumably all currently supported Ubuntu releases are affected by at
  least one bug fixed by the patches.

  By the way, there seem to be other security related commits in VLC
  that might need backporting, e.g. [3] [4]

  [1]: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
  [2]: https://github.com/videolan/vlc/search?q=checkpoint&type=Commits&utf8=%E2%9C%93
  [3]: https://github.com/videolan/vlc/search?o=desc&p=1&q=overflow&s=committer-date&type=Commits&utf8=%E2%9C%93
  [4]: https://github.com/videolan/vlc/search?o=desc&q=out+of+bound&s=committer-date&type=Commits&utf8=%E2%9C%93

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/1693893/+subscriptions