CVE-2017-17670 in Ubuntu

CVE-2017-17670

Priority

Description

In VideoLAN VLC media player through 2.2.8, there is a type conversion
vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading
to a invalid free, because the type of a box may be changed between a read
operation and a free operation.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17670
http://www.openwall.com/lists/oss-security/2017/12/15/1
http://openwall.com/lists/oss-security/2017/12/15/1
https://www.openwall.com/lists/oss-security/2017/12/15/5

Notes

mikesalvatore

According to the openwall thread, "the VLC project probably
won't backport a fix to 2.2.x." I'm deferring this CVE.

Package

Source: vlc (LP Ubuntu Debian)

Upstream:	released (3.0.2-0+deb9u1)
Ubuntu 18.04 LTS:	not-affected (3.0.3-1-1ubuntu1)
Ubuntu 20.04 LTS:	not-affected (3.0.4-2build1)
Ubuntu 21.10:	not-affected (3.0.4-2build1)
Ubuntu 22.04 LTS:	not-affected (3.0.4-2build1)
Ubuntu 14.04 ESM:	DNE (trusty was deferred [2019-04-23])

Patches:

More Information

Updated: 2022-04-25 00:20:01 UTC (commit ecc1009cb19540b950de59270950018900f37f15)