[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] [oss-security] CVE-2017-17670: vlc: type conversion vulnerability
From: Hans Jerry Illikainen <hji () dyntopia ! com>
Date: 2017-12-15 20:12:04
Message-ID: 20171215201204.GA5617 () darpa ! mil
[Download RAW message or body]
On Fri, Dec 15, 2017 at 05:28:45AM -0500, Stiepan wrote:
> Nice job! By the way, when is back-porting of the fix to the current
> stable version(s) envisioned? (I doubt most oss OS distributions use
> the "HEAD of the VLC master branch", nor that most Windows or Mac
> users use the latest bleeding-edge build, leaving a potentially large
> window for exploitation if former versions don't get fixed; knowing
> VLC's popularity, I think that the question should be seriously
> considered)
> And is there a standalone patch or workaround that could be used for
> older versions (besides not opening mp4 videos anymore)?
The MP4 module has undergone some major changes and unfortunately the
VLC project probably won't backport a fix to 2.2.x.
--
hji
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic