Full Disclosure mailing list archives
Re: [oss-security] CVE-2017-17670: vlc: type conversion vulnerability
From: Hans Jerry Illikainen <hji () dyntopia com>
Date: Fri, 15 Dec 2017 20:12:04 +0000
On Fri, Dec 15, 2017 at 05:28:45AM -0500, Stiepan wrote:
Nice job! By the way, when is back-porting of the fix to the current stable version(s) envisioned? (I doubt most oss OS distributions use the "HEAD of the VLC master branch", nor that most Windows or Mac users use the latest bleeding-edge build, leaving a potentially large window for exploitation if former versions don't get fixed; knowing VLC's popularity, I think that the question should be seriously considered) And is there a standalone patch or workaround that could be used for older versions (besides not opening mp4 videos anymore)?
The MP4 module has undergone some major changes and unfortunately the VLC project probably won't backport a fix to 2.2.x. -- hji _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2017-17670: vlc: type conversion vulnerability Hans Jerry Illikainen (Dec 15)
- Re: [oss-security] CVE-2017-17670: vlc: type conversion vulnerability Stiepan (Dec 15)
- Re: [oss-security] CVE-2017-17670: vlc: type conversion vulnerability Hans Jerry Illikainen (Dec 19)
- Re: [oss-security] CVE-2017-17670: vlc: type conversion vulnerability Stiepan (Dec 15)