0.8.6a or how to do a fast release....

JBK — Mon, 08 Jan 2007 14:39:00 +0100

This is the short story of how we had to release 0.8.6a version of VLC media player because of some bugs...

A Bugfix Release

Intro

Everything was going great under the best world. VLC 0.8.6 was out during December without a lot of troubles, with a lot of fixes... A mature release, but...

Initial report

Month of Apple Bugs has started on the first of January. And the second day was a VLC security problem.

First, we did not think that we could be targeted, because we are not an Apple company... On the same day, there was a patch on the mailing-list. The fix was quite quick in the trunk.

Decisions

There was a lot of FUD and publicity around that MoAB, so we couldn't do nothing. The problem is that the chief releaser of 0.8.6, and one of the main OSX Coder was away.

So we decided to release a bugfix version without his advice.

On the third of January the packages were uploaded, a fix for ancient release was proposed.

Release

On the 4th, we announced the release after having signed the binaries...

The problem

VLC media player CDDA (CD Digital Audio) and VCDX (Video CD) plugins are prone to a C-style format string vulnerability when trying to open a media resource location. The bug occurs when handling error and debug messages from underlying library libcdio.

Personal remark

A lot of publicity around a non-event. VLC must have a lot of other security problems. We need to analyze a bit more some code...

But we react quickly enough. Great!

Yet another blog for JBKempf - Tag - MoAB