Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23732
HistoryApr 30, 2010 - 12:00 a.m.

VideoLAN Security Advisory 1003

2010-04-3000:00:00
vulners.com
5
JSON

Security Advisory 1003

Summary : Heap buffer overflow vulnerability in A/52, DTS
and MPEG Audio decoders
Invalid memory access in AVI, ASF, Matroska (MKV) demuxers
Invalid memory access in XSPF playlist parser
Invalid memory access in ZIP archive decompressor
Heap buffer overflow in RTMP access
Date : 19 April 2010
Affected versions : VLC media player 1.0.5 down to 0.5.0
ID : VideoLAN-SA-1003
CVE references : N/A (at the time of writing)

Details

VLC media player suffers from various vulnerabilities when attempting to parse malformatted or overly long byte streams.
Impact

If successful, a malicious third party could crash the player instance or perhaps execute arbitrary code within the context of VLC media player.
Threat mitigation

Exploitation of those bugs requires the user to explicitly open specifically crafted malicious files.
Workarounds

The user may refrain from opening files from untrusted sources.
Solution

VLC media player 1.0.6 addresses these issues and introduces further stability fixes.

VLC media player 1.1.0 (currently in pre-release stage) addresses these issues as well and introduces further enhancements and fixes over version 1.0.6.
Credits

These vulnerabilities were discovered by the development team while working on VLC 1.1.0.
References

The VideoLAN Project
http://www.videolan.org/

History

21 April 2010
VLC 1.0.6 bugfix release
Initial advisory

Rémi Denis-Courmont,
on behalf of the VideoLAN project

JSON