VideoLAN, a project and a non-profit organization.

Security Advisory 0804

Summary           : Arbitrary file overwrite and other abuses
                    through M3U parser
Date              : November 2007
Affected versions : VLC media player 0.8.6c and earlier
ID                : VideoLAN-SA-0804
CVE reference     : CVE-2007-6683

Details

Using VLC media player's M3U Playlist Parser could lead to arbitrary file overwrite and other unwanted action within the security context of the user running VLC.

Impact

If successful, a malicious third party could misuse the Stream Output features of VLC media player's the M3U Playlist Parser to write arbitrary data to any accessible file system locations, send packets on the network, etc.

Threat mitigation

Exploitation of these design issues requires the user to open a specially crafted M3U playlist file.

Workarounds

The user should not use VLC media player's --m3u-extvlcopt setting, which enables parsing of exploitable playlist item options. This option is only found in some 0.8.6 releases; from VLC 0.9.0, unsafe playlist extensions are always ignored.

Solution

VLC media player 0.8.6d addresses these design issues and introduces further usability fixes.

Credits

These vulnerabilities were discovered internally by multiple members of the VideoLAN Team, notably Damien Fouilleul and Rémi Denis-Courmont.

References

The VideoLAN project
GitLab issue #1371
http://www.videolan.org/

History

21 January 2009
Clarifications
10 May 2008
Added CVE ID reference
30 November 2007
VLC 0.8.6d bugfix release
20 November 2007
Patch provided against VLC 0.8.6 source code
Patch applied to VLC development tree
Ticket opened
Rémi Denis-Courmont, Damien Fouilleul, Felix Paul Kühne,
on behalf of the VideoLAN project