Updated live555, vlc & mplayer packages fix several issues
Publication date: 26 Jul 2014Modification date: 26 Jul 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-4388
Description
Updated live, mplayer, and vlc packages fix security vulnerabilities:
The live555 RTSP streaming server and client libraries before 2013.11.29 are
vulnerable to buffer overflows in RTSP command parsing that potentially allow
for arbitrary code execution when connected to a malicious client or server.
The RTSP client streaming code in the mplayer and vlc packages is built from
the live555 code in the live package. They have been rebuilt with the updated
live packages.
The vlc packages have also been updated to 2.0.10 for Mageia 3 and 2.1.5 for
Mageia 4, fixing several other bugs and potential security issues. The Mageia
3 update fixes a buffer overflow in the mp4a packetizer (CVE-2013-4388) that
was fixed upstream in 2.0.9.
Finally, the mplayer update for Mageia 3 includes two upstream patches; one
disables playlist parsing for security reasons and the other fixes mp3
decoding cutting out early (mga#10478).
References
- http://live555.com/liveMedia/public/changelog.txt
- http://www.videolan.org/developers/vlc-branch/NEWS
- http://lists.mplayerhq.hu/pipermail/mplayer-announce/2013-May/000070.html
- https://www.debian.org/security/2014/dsa-2973
- https://bugs.mageia.org/show_bug.cgi?id=10478
- https://bugs.mageia.org/show_bug.cgi?id=13705
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4388
SRPMS
4/tainted
- vlc-2.1.5-1.mga4.tainted
- mplayer-1.1.1-3.r36361.3.mga4.tainted
4/core
- live-2014.07.04-1.mga4
- vlc-2.1.5-1.mga4
- mplayer-1.1.1-3.r36361.3.mga4
3/tainted
- vlc-2.0.10-1.mga3.tainted
- mplayer-1.1-13.r35916.3.mga3.tainted
3/core
- live-2014.07.04-1.mga3
- vlc-2.0.10-1.mga3
- mplayer-1.1-13.r35916.3.mga3