[SECURITY] [DLA 2728-1] vlc security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2728-1] vlc security update
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 3 Aug 2021 09:26:45 -0400 (EDT)
Message-id: <[🔎] 162799712662.190459.17913193593706217038@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2728-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
August 03, 2021                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : vlc
Version        : 3.0.11-0+deb9u2
CVE IDs        : CVE-2021-25801 CVE-2021-25802 CVE-2021-25803 CVE-2021-25804

It was discovered that there were a number of issues in VideoLAN (aka
'vlc', a popular video and multimedia player:

- - CVE-2021-25801: A buffer overflow vulnerability in the __Parse_indx
  component allowed attackers to cause an out-of-bounds read via a
  crafted .avi file.

- - CVE-2021-25802: A buffer overflow vulnerability in the
  AVI_ExtractSubtitle component could have allowed attackers to cause
  an out-of-bounds read via a crafted .avi file.

- - CVE-2021-25803: A buffer overflow vulnerability in the
  vlc_input_attachment_New component allowed attackers to cause an
  out-of-bounds read via a specially-crafted .avi file.

- - CVE-2021-25804: A NULL-pointer dereference in "Open" in avi.c can
  result in a denial of service (DoS) vulnerability.


For Debian 9 "Stretch", these problems have been fixed in version
3.0.11-0+deb9u2.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc, please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmEJQ8QACgkQHpU+J9Qx
Hlh43Q/+I1O/j1aj/JRS80XNb2z7DrNuB1Ggay1PHLYgXGjSvNrokcvOF0j0fFHU
YE9y6P/7/360f6gR/Y/DaVT+pjUfunAtxg6ojIRgHc8II2WHMlFR/xuQGNPH0wEU
j5nUXNvJvty/7lD/gVNzEeFpjj6pNATsUQlO5QzUjwn2FDeHQGU5DMHVM3uGTTw2
WYM9zP/QbaPs3jL+TMN/rAvhlLd7COSHozcM9ooP60RhrM+NQMZZ52Xju4zEvurr
akF0vmSl2y5SI9HXV3CVxcJnh5RpPG1CMAjmqZCWgrhTOlpT80m4dwn/+U282820
xqVcF/f8lsRjlv/Ri/UEU9C53ox3swpcNQQHF+PtVBIVfC25eABIcFERjdwsogL8
ON5rE8xj3JM2wcV5bY+CH9B0qsBGIVncY5BeOhrOWOKuxLgkjbygJlAma8D4SMRf
xkDb814w9X2Lxlf65tp11zJVbZxgDhjZVGkXbZjx75ZqCdtAySrEqRQrITQusabG
Sa5G1e23j/kfEWomBSG8vBgtW79hQXrPzS4z3/8+2qFreYZlG9yA/DtGzM9Tj4TW
i0LMjODzO/eleGvLvs7nJtirIaDvgKzo6IlqnPd21SC3ocRRTTJMCB9qoGUAnZ3T
NaGE9P7H2WFmLxgi8AQ400pMyACI8GNB+GU9NyUrhsaHd8pvGc0=
=hdF4
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2727-1] pyxdg security update
Next by Date: [SECURITY] [DLA 2729-1] asterisk security update
Previous by thread: [SECURITY] [DLA 2727-1] pyxdg security update
Next by thread: [SECURITY] [DLA 2729-1] asterisk security update
Index(es):
- Date
- Thread