845759 – (CVE-2013-4388) VUL-0: CVE-2013-4388: vlc: Buffer overflow in the mp4a packetizer

Bug 845759 (CVE-2013-4388) - VUL-0: CVE-2013-4388: vlc: Buffer overflow in the mp4a packetizer

Summary: VUL-0: CVE-2013-4388: vlc: Buffer overflow in the mp4a packetizer

Status:	RESOLVED FIXED

Alias:	CVE-2013-4388

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Dominique Leuenberger
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-10-14 12:14 UTC by Marcus Meissner
Modified:	2013-10-24 13:50 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-10-14 12:14:07 UTC

public via oss-sec

CVE-2013-4388


Buffer overflow in the mp4a packetizer (modules/packetizer/mpeg4audio.c) in VideoLAN VLC Media Player before 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.

http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e

References:
http://www.openwall.com/lists/oss-security/2013/10/01/2
http://www.securitytracker.com/id/1029120
http://www.videolan.org/developers/vlc-branch/NEWS
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4388

Comment 1 Dominique Leuenberger 2013-10-14 21:37:39 UTC

Only affected dist so far: 13.1

I'm actually working towards inclusion of VLC 2.1.0, which would contain the fix (SR#200991 pending... legal review, due to upstream license change)

Comment 2 Dominique Leuenberger 2013-10-24 13:50:31 UTC

VLC 2.1.0 entered Factory and the 13.1 repository => Fixed