diff -Nru gst-plugins-bad0.10-0.10.23/debian/changelog gst-plugins-bad0.10-0.10.23/debian/changelog
--- gst-plugins-bad0.10-0.10.23/debian/changelog	2016-11-14 20:58:51.000000000 +0000
+++ gst-plugins-bad0.10-0.10.23/debian/changelog	2016-11-17 00:49:38.000000000 +0000
@@ -1,3 +1,12 @@
+gst-plugins-bad0.10 (0.10.23-7.2ubuntu1.3) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: code execution via integer overflow in vmncdec
+    - debian/patches/vmncdec_overflow.patch: sanity-check width/height
+      before using it in gst/vmnc/vmncdec.c.
+    - No CVE number
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 16 Nov 2016 19:49:16 -0500
+
 gst-plugins-bad0.10 (0.10.23-7.2ubuntu1.2) trusty-security; urgency=medium
 
   * SECURITY UPDATE: code execution via NSF music file (LP: #1641700)
diff -Nru gst-plugins-bad0.10-0.10.23/debian/patches/series gst-plugins-bad0.10-0.10.23/debian/patches/series
--- gst-plugins-bad0.10-0.10.23/debian/patches/series	2015-04-15 15:44:09.000000000 +0000
+++ gst-plugins-bad0.10-0.10.23/debian/patches/series	2016-11-17 00:49:11.000000000 +0000
@@ -16,3 +16,4 @@
 0031-docs-voamrwbenc.patch
 0032-fix-compat-with-updated-libmodplug.patch
 CVE-2015-0797.patch
+vmncdec_overflow.patch
diff -Nru gst-plugins-bad0.10-0.10.23/debian/patches/vmncdec_overflow.patch gst-plugins-bad0.10-0.10.23/debian/patches/vmncdec_overflow.patch
--- gst-plugins-bad0.10-0.10.23/debian/patches/vmncdec_overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-bad0.10-0.10.23/debian/patches/vmncdec_overflow.patch	2016-11-17 00:49:11.000000000 +0000
@@ -0,0 +1,46 @@
+Backport of:
+
+From 4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 16 Nov 2016 20:41:39 +0200
+Subject: vmncdec: Sanity-check width/height before using it
+
+We will allocate a screen area of width*height*bpp bytes, however this
+calculation can easily overflow if too high width or height are given
+inside the stream. Nonetheless we would just assume that enough memory
+was allocated, try to fill it and overwrite as much memory as wanted.
+
+Also allocate the screen area filled with zeroes to ensure that we start
+with full-black and not any random (or not so random) data.
+
+https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
+
+Ideally we should just remove this plugin in favour of the one in
+gst-libav, which generally seems to be of better code quality.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774533
+
+Index: gst-plugins-bad1.0-1.2.4/gst/vmnc/vmncdec.c
+===================================================================
+--- gst-plugins-bad1.0-1.2.4.orig/gst/vmnc/vmncdec.c	2016-11-16 19:46:04.819578535 -0500
++++ gst-plugins-bad1.0-1.2.4/gst/vmnc/vmncdec.c	2016-11-16 19:47:02.240187274 -0500
+@@ -370,7 +370,7 @@
+ 
+   if (dec->imagedata)
+     g_free (dec->imagedata);
+-  dec->imagedata = g_malloc (dec->format.width * dec->format.height *
++  dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
+       dec->format.bytes_per_pixel);
+   GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
+ 
+@@ -901,6 +901,10 @@
+             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
+             return ERROR_INVALID;
+           }
++        } else if (r.width > 16384 || r.height > 16384) {
++          GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
++              r.height);
++          return ERROR_INVALID;
+         }
+ 
+         switch (r.type) {