A critical vulnerability was discovered in VLC’s ASF demuxer, Quoting the VideoLAN Security Advisory page : “Details: When parsing a specially crafted ASF movie, a buffer overflow might occur. Impact: If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player’s process. In some cases attackers might exploit this issue to execute arbitrary code within the context of the application but this information is not confirmed.”
I wanted to wait for 2.0.6 at first but since the VideoLAN developers are at FOSDEM this weekend, and my build box was idle, I decided to build some packages incorporating the patch for that vulnerability.
Get them at one of the mirrors, for instance use one of my own repositories. Note that there are new packages for both Slackware 13.37 and 14.0:
- http://slackware.com/~alien/slackbuilds/vlc/ (only containing the versions that do not violate US patents). Mirrored at http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/vlc/ .
- http://taper.alienbase.nl/mirrors/people/alien/restricted_slackbuilds/vlc/ (alternative repository containing packages capable of AAC/MP3 encoding).
Rsync acccess is offered by the mirror server: rsync://taper.alienbase.nl/mirrors/people/alien/restricted_slackbuilds/vlc/ .
My usual warning about patents: versions that can not only DEcode but also ENcode mp3 and aac audio can be found in my alternative repository where I keep the packages containing code that might violate stupid US software patents.
Eric
Leave a Reply