Candidate: CVE-2014-9626
PublicDate: 2020-01-24 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9626
Description:
 Integer underflow in the MP4_ReadBox_String function in
 modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows
 remote attackers to cause a denial of service or possibly have unspecified
 other impact via a box size less than 7.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775866
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_vlc:
 upstream: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39
upstream_vlc: released (2.1.6,2.2.0)
lucid_vlc: ignored (reached end-of-life)
precise_vlc: ignored (reached end-of-life)
precise/esm_vlc: DNE (precise was needed)
trusty_vlc: released (2.1.6-0ubuntu14.04.1)
trusty/esm_vlc: DNE (trusty was released [2.1.6-0ubuntu14.04.1])
utopic_vlc: released (2.2.0-0ubuntu0.14.10.1)
vivid_vlc: not-affected (2.2.0~rc2-2)
vivid/stable-phone-overlay_vlc: DNE
vivid/ubuntu-core_vlc: DNE
wily_vlc: not-affected (2.2.0~rc2-2)
xenial_vlc: not-affected (2.2.0~rc2-2)
yakkety_vlc: not-affected (2.2.0~rc2-2)
zesty_vlc: not-affected (2.2.0~rc2-2)
devel_vlc: not-affected (2.2.0~rc2-2)