Security Advisory 0804
Summary : Arbitrary file overwrite and other abuses
through M3U parser
Date : November 2007
Affected versions : VLC media player 0.8.6c and earlier
ID : VideoLAN-SA-0804
CVE reference : CVE-2007-6683
Details
Using VLC media player's M3U Playlist Parser could lead to arbitrary file overwrite and other unwanted action within the security context of the user running VLC.
Impact
If successful, a malicious third party could misuse the Stream Output features of VLC media player's the M3U Playlist Parser to write arbitrary data to any accessible file system locations, send packets on the network, etc.
Threat mitigation
Exploitation of these design issues requires the user to open a specially crafted M3U playlist file.
Workarounds
The user should not use VLC media player's --m3u-extvlcopt
setting, which enables parsing of exploitable playlist item options.
This option is only found in some 0.8.6 releases;
from VLC 0.9.0, unsafe playlist extensions are always ignored.
Solution
VLC media player 0.8.6d addresses these design issues and introduces further usability fixes.
Credits
These vulnerabilities were discovered internally by multiple members of the VideoLAN Team, notably Damien Fouilleul and Rémi Denis-Courmont.
References
- The VideoLAN project
- trac ticket #1371
- http://www.videolan.org/
History
- 21 January 2009
- Clarifications
- 10 May 2008
- Added CVE ID reference
- 30 November 2007
- VLC 0.8.6d bugfix release
- 20 November 2007
- Patch provided against VLC 0.8.6 source code
- Patch applied to VLC development tree
- Ticket opened
on behalf of the VideoLAN project