-
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.3) hardy-security; urgency=low
* SECURITY UPDATE: aribrary code execution via invalid cue image file.
(LP: #294243)
- debian/patches/042_CVE-2008-5032.diff: make sure we don't overflow
p_sectors in modules/access/vcd/cdrom.c
- CVE-2008-5032
-- Marc Deslauriers <email address hidden> Sun, 28 Jun 2009 10:11:40 -0400
-
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.2) hardy-security; urgency=low
* SECURITY UPDATE: multiple denials of service and arbitrary code execution
vulnerabilities. (LP: #262705)
- debian/patches/040_CVE-2008-3732.diff: Fix TTA integer handling. Fixes
arbitrary code execution. Patch from upstream git.
- debian/patches/041_CVE-2008-3794.diff: Fix MMS integer handling. Fixes
arbitrary code execution. Patch from upstream git.
- References:
+ http://www.videolan.org/security/sa0807.html
+ CVE-2008-3732
+ CVE-2008-3794
-- William Grant <email address hidden> Sun, 21 Sep 2008 14:00:25 +1000
-
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1) hardy-security; urgency=low
* SECURITY UPDATE: multiple denials of service, arbitrary code execution and
arbitrary file overwriting vulnerabilities. (LP: #238873)
- debian/patches/032_CVE-2007-6683.diff: Assume unsafe Mozilla variable
settings. Fixes file overwriting. Patch from upstream git.
- debian/patches/033_CVE-2008-0073.diff: Check that the RTSP stream ID
isn't too large. Fixes arbitrary code execution. Patch from upstream git.
- debian/patches/034_CVE-2008-1686.diff: Check that the Speex header mode
is positive. Fixes arbitrary code execution. Patch from upstream git.
- debian/patches/038_CVE-2008-1768.diff: Fix a buffer overflow in the MP4
decoder, and an integer overflow in both the Cinepak and Real decoders.
Patches from upstream git.
- debian/patches/035_CVE-2008-1769.diff: Perform an appropriate boundary
check on frames in Cinepak streams. Fixes denial of service. Patch from
upstream git.
- debian/patches/036_CVE-2008-1881.diff: Fix subtitle format strings.
Properly fixes CVE-2007-6681, an arbitrary code execution vulnerability.
Patch from upstream git.
- debian/patches/037_CVE-2008-2147.diff: Only search for plugins in the
normal path. Fixes arbitrary code execution. Patch from upstream git.
- debian/patches/038_CVE-2008-2430.diff: Fix integer overflow in the WAV
demuxer. Fixes arbitrary code execution. Path from upstream git.
- References:
+ CVE-2007-6681
+ CVE-2007-6683
+ CVE-2008-0073
+ CVE-2008-1686
+ CVE-2008-1768
+ CVE-2008-1769
+ CVE-2008-1881
+ CVE-2008-2147
+ CVE-2008-2430
-- William Grant <email address hidden> Sun, 13 Jul 2008 10:45:55 +1000
-
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3) hardy; urgency=low
* debian/control: Make vlc-plugin-pulse a dependency of vlc, to enable pulseaudio
by default. (LP: #208579)
* debian/patches/demuxer-fix.diff: Patch to fix FTBFS, thanks to Gentoo bug
214809.
-- Luke Yelavich <email address hidden> Sat, 12 Apr 2008 09:23:55 +1000
-
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu2) hardy; urgency=low
* Add 031_CVE_2008_1489.diff from git head
to fix CVE-2008-1489. (LP: #207284)
-- Mario Limonciello <email address hidden> Thu, 27 Mar 2008 21:55:17 -0500
-
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu1) hardy; urgency=low
[ Mario Limonciello ]
* New upstream version. (LP: #206918)
- New versioning scheme to bring attention to the fact that
faad and x264 are in the .orig.tar.gz.
- Fixes 6 CVEs (LP: #196452)
+ CVE: 2007-6681
+ CVE: 2007-6682
+ CVE: 2007-6683
+ CVE: 2008-0295
+ CVE: 2008-0296
* Drop 021_CVE-2008-0984 as it's included upstream.
* debian/rules:
- Adjust items touched for faad2 when building.
- Apply all faad2 patches when building
* debian/control:
- Add dpatch, libfaad-dev, and autotools-dev to build-depends to allow
faad2 to build again.
- Add automake, cvs, and libtool to build depends (now needed for building VLC)
[ Martin Hamrle ]
* Add new package with pulse output plugin (LP: #196417)
- debian/patches/030_pulse.diff:
+ patch from upstream trunk to support pulseaudio output
- debian/rules:
+ enable pulseaudio
- debian/control:
+ add dependencies to libpulse-dev
+ new package description
- Creates a NEW binary package, requiring FFe (LP: #204050)
-- Mario Limonciello <email address hidden> Tue, 25 Mar 2008 20:08:07 -0500
-
vlc (0.8.6.release.d-0ubuntu7) hardy; urgency=low
* Add new package with pulse output plugin (LP: #196417)
- debian/patches/030_pulse.diff:
+ patch from upstream trunk to support pulseaudio output
- debian/rules:
+ enable pulseaudio
- debian/control:
+ add dependencies to libpulse-dev
+ new package description
-- Martin Hamrle <email address hidden> Tue, 11 Mar 2008 23:09:49 +0100
-
vlc (0.8.6.release.d-0ubuntu6) hardy; urgency=low
[ Andrew Starr-Bochicchio (andrewsomething) ]
* Added Catalan, Spanish, and Polish translations to .desktop file in debian/. (LP: #199413)
- Thanks to Siegfried Gevatter (RainCT) and Tomasz Dominikowski.
[ Siegfried-Angel Gevatter Pujals ]
* debian/vlc.desktop:
- Update .desktop file to the current FD.o specifications.
-- Andrew Starr-Bochicchio (andrewsomething) <email address hidden> Tue, 18 Mar 2008 01:45:06 +0100
-
vlc (0.8.6.release.d-0ubuntu5) hardy; urgency=low
* debian/patches/022_no_cpu_consumption.diff: (LP: #104698)
- Fix CPU consumption when fake-tty mode is enabled
Thx to bma (No Real Name) for providing the patch
-- Stephan Hermann <email address hidden> Thu, 06 Mar 2008 21:53:50 +0100
-
vlc (0.8.6.release.d-0ubuntu4) hardy; urgency=low
[ Emanuele Gentili ]
* SECURITY UPDATE:
- debian/patches/021_CVE-2008-0984.diff (LP: #195949)
+ VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer) suffers
from an arbitrary memory overwrite vulnerability when using crash the player
instance.
* References
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0984
- http://www.videolan.org/security/sa0802.html
[ Mario Limonciello ]
* debian/control:
- Build debian on libxul-dev instead of firefox-dev
* debian/rules:
- Use xulrunner-config rather than firefox-config (LP: #194907)
-- Emanuele Gentili <email address hidden> Wed, 27 Feb 2008 00:33:06 +0100
-
vlc (0.8.6.release.d-0ubuntu3) hardy; urgency=low
* When building on amd64, build x264 specifically with --enable-pic.
-- Mario Limonciello <email address hidden> Thu, 06 Dec 2007 10:53:42 -0600
-
vlc (0.8.6.release.d-0ubuntu2) hardy; urgency=low
[ Matt Lindell ]
* Add jack plugin to vlc-nox package. (LP: #173391)
[ Mario Limonciello ]
* Loosen dependencies on libcaca and libvcdinfo.
-- Mario Limonciello <email address hidden> Wed, 05 Dec 2007 01:05:24 -0600
-
vlc (0.8.6.release.d-0ubuntu1) hardy; urgency=low
* New upstream version. (LP: #173550)
- Fixes ALSA/SPDIF. (LP: #153641)
* Build with JACK support. (LP: #151895)
* debian/rules:
- Add a get-orig-source target for easily rebuilding with current
x264 and faad2.
* Rebuild with faad2 2.0.0+cvs20040908+mp4v2+bmp-0ubuntu5.
* Rebuild with x264 1:0.svn20070930-0.0ubuntu2.
* debian/control:
- Add subversion to build dependencies to allow version checking
during build identification.
- Add libjack-dev to build dependencies
- Make sure we depend on libcaca >=0.99.beta13b-2 to prevent a FTBFS.
- Make sure we depend on libvcdinfo >=0.7.23-4ubuntu1 to prevent a FTBFS.
* Disable 010_no-wx-updates.diff patch, upstream has disabled update
checking for now already.
* Drop 030_fix_exec_field_code.diff patch, because upstream has added
support for files and URLs directly from calling the vlc binary.
* Fix lintian warning for debian-rules-ignores-make-clean-error.
* Fix lintian warning for substvar-source-version-is-deprecated.
-- Mario Limonciello <email address hidden> Sun, 02 Dec 2007 15:41:50 -0600
-
vlc (0.8.6.release.c-0ubuntu5) gutsy; urgency=low
* Add patch 030_fix_exec_field_code:
- fix opening multiple files leads to multiple instances (LP: #124712)
-- Cesare Tirabassi <email address hidden> Mon, 08 Oct 2007 23:41:44 +0200
