Bugzilla – Bug 866611
VUL-0: CVE-2014-1684: vlc: ASF_ReadObject_file_properties denial of service
Last modified: 2014-03-04 06:09:38 UTC
CVE-2014-1684, via NVD DB The ASF_ReadObject_file_properties function in modules/demux/asf/libasf.c in the ASF Demuxer in VideoLAN VLC Media Player before 2.1.3 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a zero minimum and maximum data packet size in an ASF file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1684 http://git.videolan.org/gitweb.cgi/vlc.git/?p=vlc.git;a=commitdiff;h=98787d0843612271e99d62bee0dfd8197f0cf404 https://trac.videolan.org/vlc/ticket/10482 http://www.elsherei.com/?p=269
We already have VLC 2.1.3 in the update channel; The changelog of this version contains: [...] + Demuxers: [...] - Fix divide by 0 on ASF/WMV parsing Which is the change described in the git commit referenced in comment #0; so I'd say we are safe to close that already; agree?
yes, please do
bugbot adjusting priority
Bugs are fixed faster than you can report them; This specific fix was included in the maintenance update to 2.1.3, which has already been done for 13.1. 13.1 at this moment is the only product shipping vlc.