[Libquicktime-devel] Fwd: Bug#855099: libquicktime: CVE-2016-2399

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Please see the Debian bug at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855099

Also please see a fairly minimal patch attached.

Cheers,
Balint

---------- Forwarded message ----------
From: Salvatore Bonaccorso <ca...@de...>
Date: 2017-02-14 5:54 GMT+01:00
Subject: Bug#855099: libquicktime: CVE-2016-2399
To: Debian Bug Tracking System <su...@bu...>

Source: libquicktime
Version: 2:1.2.4-7
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libquicktime.

CVE-2016-2399[0]:
| Integer overflow in the quicktime_read_pascal function in libquicktime
| 1.2.4 and earlier allows remote attackers to cause a denial of service
| or possibly have other unspecified impact via a crafted hdlr MP4 atom.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-2399

Regards,
Salvatore