[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability

To: oss-security@xxxxxxxxxxxxxxxxxx
Subject: Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability
From: Hans Jerry Illikainen <hji@xxxxxxxxxxxx>
Date: Fri, 15 Dec 2017 20:12:04 +0000

On Fri, Dec 15, 2017 at 05:28:45AM -0500, Stiepan wrote:
> Nice job! By the way, when is back-porting of the fix to the current
> stable version(s) envisioned? (I doubt most oss OS distributions use
> the "HEAD of the VLC master branch", nor that most Windows or Mac
> users use the latest bleeding-edge build, leaving a potentially large
> window for exploitation if former versions don't get fixed; knowing
> VLC's popularity, I think that the question should be seriously
> considered)
> And is there a standalone patch or workaround that could be used for
> older versions (besides not opening mp4 videos anymore)?

The MP4 module has undergone some major changes and unfortunately the
VLC project probably won't backport a fix to 2.2.x.

-- 
hji

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] CVE-2017-17670: vlc: type conversion vulnerability
  - From: Hans Jerry Illikainen
- Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability
  - From: Stiepan

Prev by Date: Re: [FD] CVE-2017-15944: Palo Alto Networks firewalls remote root code execution
Next by Date: [FD] Multiple Vulnerabilities in TP-Link TL-SG108E - CVE-2017-17745, CVE-2017-17746, CVE-2017-17747
Previous by thread: Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability
Next by thread: [FD] SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution
Index(es):
- Date
- Thread