[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability
- To: oss-security@xxxxxxxxxxxxxxxxxx
- Subject: Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability
- From: Hans Jerry Illikainen <hji@xxxxxxxxxxxx>
- Date: Fri, 15 Dec 2017 20:12:04 +0000
On Fri, Dec 15, 2017 at 05:28:45AM -0500, Stiepan wrote:
> Nice job! By the way, when is back-porting of the fix to the current
> stable version(s) envisioned? (I doubt most oss OS distributions use
> the "HEAD of the VLC master branch", nor that most Windows or Mac
> users use the latest bleeding-edge build, leaving a potentially large
> window for exploitation if former versions don't get fixed; knowing
> VLC's popularity, I think that the question should be seriously
> considered)
> And is there a standalone patch or workaround that could be used for
> older versions (besides not opening mp4 videos anymore)?
The MP4 module has undergone some major changes and unfortunately the
VLC project probably won't backport a fix to 2.2.x.
--
hji
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/