Bug 866611 - (CVE-2014-1684) VUL-0: CVE-2014-1684: vlc: ASF_ReadObject_file_properties denial of service
VUL-0: CVE-2014-1684: vlc: ASF_ReadObject_file_properties denial of service
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Dominique Leuenberger
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-03-03 20:36 UTC by Marcus Meissner
Modified: 2014-03-04 06:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-03 20:36:28 UTC
CVE-2014-1684, via NVD DB

The ASF_ReadObject_file_properties function in modules/demux/asf/libasf.c in the ASF Demuxer in VideoLAN VLC Media Player before 2.1.3 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a zero minimum and maximum data packet size in an ASF file.




Comment 1 Dominique Leuenberger 2014-03-03 20:48:46 UTC
We already have VLC 2.1.3 in the update channel; 

The changelog of this version contains:
  + Demuxers:
    - Fix divide by 0 on ASF/WMV parsing

Which is the change described in the git commit referenced in comment #0;

so I'd say we are safe to close that already; agree?
Comment 2 Marcus Meissner 2014-03-03 22:34:09 UTC
yes, please do
Comment 3 Swamp Workflow Management 2014-03-03 23:00:33 UTC
bugbot adjusting priority
Comment 4 Dominique Leuenberger 2014-03-04 06:09:38 UTC
Bugs are fixed faster than you can report them;

This specific fix was included in the maintenance update to 2.1.3, which has already been done for 13.1.

13.1 at this moment is the only product shipping vlc.