A Bugfix Release
Intro
Everything was going great under the best world. VLC 0.8.6 was out during December without a lot of troubles, with a lot of fixes… A mature release, but…
Initial report
Month of Apple Bugs has started on the first of January. And the second day was a VLC security problem.
First, we did not think that we could be targeted, because we are not an Apple company… On the same day, there was a patch on the mailing-list. The fix was quite quick in the trunk.
Decisions
There was a lot of FUD and publicity around that MoAB, so we couldn’t do nothing. The problem is that the chief releaser of 0.8.6, and one of the main OSX Coder was away.
So we decided to release a bugfix version without his advice.
On the third of January the packages were uploaded, a fix for ancient release was proposed.
Release
On the 4th, we announced the release after having signed the binaries…
The problem
VLC media player CDDA (CD Digital Audio) and VCDX (Video CD) plugins are prone to a C-style format string vulnerability when trying to open a media resource location. The bug occurs when handling error and debug messages from underlying library libcdio.
Personal remark
A lot of publicity around a non-event. VLC must have a lot of other security problems. We need to analyze a bit more some code…
But we react quickly enough. Great!