CLD-469 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-11529 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) vlc
Deficiency Type SECURITY
Date Created 2018-07-11 17:27:10
Date Last Modified 2018-07-18 10:53:53

Version Specific Information:

Cucumber 1.0 i686 waiting for upstream to publish patch
Cucumber 1.0 x86_64 waiting for upstream to publish patch

Cucumber 1.1 i686 waiting for upstream to publish patch
Cucumber 1.1 x86_64 waiting for upstream to publish patch

Details:

Allows for arbitrary code execution if the user opens a malicious MKV file.

The VLC developers have fixed this in version 3.0.3 of VLC; however, they have
no intention of fixing it in VLC 2.2.x (the version used on Cucumber Linux
1.0/1.1). We can not upgrade to VLC 3.0.x due to ABI incompatibilities and
dependency changes. Additionally, the VLC developers have no idea what actions
are necessary to fix this vulnerability; they claim that they happened to fix
it in one of the many changes they made between VLC 2.2.8 and 3.0.0, but they
have no idea which commit fixed it.

This leaves us with no choice other than to essentially remain vulnerable to
this. Shame on the VLC developers. Perhaps it is time to start looking for a
new media player for Cucumber Linux 2.0.