Bug 866611 - (CVE-2014-1684) VUL-0: CVE-2014-1684: vlc: ASF_ReadObject_file_properties denial of service
(CVE-2014-1684)
VUL-0: CVE-2014-1684: vlc: ASF_ReadObject_file_properties denial of service
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Dominique Leuenberger
Security Team bot
https://smash.suse.de/issue/96752/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-03 20:36 UTC by Marcus Meissner
Modified: 2014-03-04 06:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-03 20:36:28 UTC
CVE-2014-1684, via NVD DB

The ASF_ReadObject_file_properties function in modules/demux/asf/libasf.c in the ASF Demuxer in VideoLAN VLC Media Player before 2.1.3 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a zero minimum and maximum data packet size in an ASF file.


References: 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1684

http://git.videolan.org/gitweb.cgi/vlc.git/?p=vlc.git;a=commitdiff;h=98787d0843612271e99d62bee0dfd8197f0cf404

https://trac.videolan.org/vlc/ticket/10482

http://www.elsherei.com/?p=269
Comment 1 Dominique Leuenberger 2014-03-03 20:48:46 UTC
We already have VLC 2.1.3 in the update channel; 

The changelog of this version contains:
[...]
  + Demuxers:
[...]
    - Fix divide by 0 on ASF/WMV parsing

Which is the change described in the git commit referenced in comment #0;

so I'd say we are safe to close that already; agree?
Comment 2 Marcus Meissner 2014-03-03 22:34:09 UTC
yes, please do
Comment 3 Swamp Workflow Management 2014-03-03 23:00:33 UTC
bugbot adjusting priority
Comment 4 Dominique Leuenberger 2014-03-04 06:09:38 UTC
Bugs are fixed faster than you can report them;

This specific fix was included in the maintenance update to 2.1.3, which has already been done for 13.1.

13.1 at this moment is the only product shipping vlc.