From gtheall at tenable.com Tue Jul 9 10:54:23 2013 From: gtheall at tenable.com (George Theall) Date: Tue, 9 Jul 2013 15:54:23 +0000 Subject: [VIM] Multiple QNX Products CVE-2013-2688 Buffer Overflow Vulnerability Message-ID: <3CE0DC7D-4261-4BA5-A782-968926707A78@tenable.com> Narayan / Venkat / Rob : what difference is there between BID 61023, which was created today, and BID 53485, which was issued when Luigi Auriemma published http://aluigi.altervista.org/adv/qnxph_1-adv.txt? George -- theall at tenable.com From coley at mitre.org Wed Jul 10 11:43:54 2013 From: coley at mitre.org (Christey, Steven M.) Date: Wed, 10 Jul 2013 16:43:54 +0000 Subject: [VIM] VLC vulnerability (no, not that one) and ffmpeg Message-ID: I've been looking into the VLC MKV issue and have been wondering about a DIFFERENT issue that's also being discussed, i.e. Secunia SA51464, which http://secunia.com/blog/372/ claims to be a use-after-free in FFmpeg, although SA51464 itself makes no mention of this. http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia also says "The crash is in libavformat/libavcodec libraries, from the FFmpeg/libav projects." Looks like libavformat/swfdec.c is patched, at least on the VLC side. Has anybody dug more deeply? If this is really an upstream ffmpeg issue, has it already been published? - Steve