Secunia Security Advisory SA41810

Website · Postby **brierjon** » 18 Feb 2011 16:41

I was wondering if VLC will be patching the plugin mentioned in the http://secunia.com/advisories/41810 advisory.

If it has been fixed Secunia needs to be notified so they can change the patch status.

Website · Postby **brierjon** » 12 Mar 2011 22:24

It looks like it is still unresolved: https://trac.videolan.org/vlc/ticket/4277 as of 3/12/11.

klausus02 · Postby **klausus02** » 01 Apr 2011 00:35

If the plugin-bug is fixed why doesn't Secunia know it? Perhaps because nobody informed them?

I asked Secunia whether they show the plugin in vlc-version 1.1.8 as not patched, they wrote:

http://secunia.com/community/forum/thre ... ix_sa41810

Does Secuna something misunderstand? So, what can be done to achieve clearity??

Postby **Rémi Denis-Courmont** » 04 Apr 2011 14:52

There has been some confusions regarding different security issues, as two different vulnerabilities have been refered in a single issue ticket.

I believe that:

Shinnai 008-20101026 (http://shinnai.altervista.org/exploits/ ... 01026.html) is fixed in VLC 1.1.5 and later,
Shinnai 007-20101019 (http://shinnai.altervista.org/exploits/ ... 01019.html) is unresolved - this is Secunia 41810.

Since Damien F. left the project over 3 years (February 2008) ago for personal reasons, both VLC browser plugins (Mozilla and ActiveX) have been left without maintainer. A new developer and/or sponsor is required. In the mean time, I do not expect any progress with this bug or any other issue specific to the browser plugins.

klausus02 · Postby **klausus02** » 04 Apr 2011 15:29

Well, may be I'm too naive... I assumed that one or two out of the nearly 100 vlc-team members could do the job of fixing ... assisted by the hints of Shinnai...

Postby **VLC_help** » 05 Apr 2011 14:01

I assumed that one or two out of the nearly 100 vlc-team members could do the job of fixing

Active VLC developer pool isn't that big

Postby **Jean-Baptiste Kempf** » 06 Apr 2011 00:01

Well, may be I'm too naive... I assumed that one or two out of the nearly 100 vlc-team members could do the job of fixing ... assisted by the hints of Shinnai...

You mean the 3 core developers?

klausus02 · Postby **klausus02** » 23 Apr 2011 13:09

Hi Jean-Baptiste,

.. a question just to prevent misunderstanding... does the actual vlc-version 1.1.9 fix the Secunia Security Advisory SA41810?

I'm not a specialist but as far as I understand the releasenotes of version 1.1.9 both the heap-based buffer overflow in mp4 demuxer
and the bug in libmod_plugin.dll are fixed now.
Please enlighten me.

Thanks Klaus

Postby **Jean-Baptiste Kempf** » 23 Apr 2011 16:20

SA41810 is not the modplug issue.
modplug and mp4 are fixed though.

The VideoLAN Forums

Secunia Security Advisory SA41810

Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Re: Secunia Security Advisory SA41810

Who is online