Security Advisory 0807
Summary : Multiple overflows in VLC demuxers Date : August 2008 Affected versions : VLC media player 0.8.6i and earlier ID : VideoLAN-SA-0807 CVE reference : CVE-2008-3732, CVE-2008-3794
Details
When parsing the header of an invalid TTA file, an integer overflow might happen causing an heap-based buffer overflow.
When parsing a response from an MMS server, an integer overflow might happen causing a stack-based buffer overflow.
Impact
If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player. However, because the integer overflows will cause an unusually large amount of memory to be read, a page fault is most likely to occur (segmentation fault on Unix systems, general protection fault on Windows), resulting in a termination of the VLC process.
Threat mitigation
Exploitation of this issue requires the user to explicitly open a specially crafted file, or access a malicious MMS server.
Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.
Solution
VLC media player 0.9.1 addresses these issues. Patches for VLC media player 0.8.6 are available from the official VLC source code repository.
Credits
This vulnerability was not responsibly disclosed. There are no credits.
References
- The VideoLAN project
- http://www.videolan.org/
History
- 16 August 2008
- TTA vulnerability public disclosure.
- 20 August 2008
- Vendor notified by third parties.
- TTA source code fixes for VLC 0.9.
- 21 August 2008
- TTA source code fixes for VLC 0.8.6.
- 24 August 2008
- MMS vulnerability public disclosure.
- Vendor notified by third parties.
- MMS source code fixes for VLC 0.8.6 and 0.9.
- VLC media player 0.9.0 released.
- 30 August 2008
- Initial security advisory.
on behalf of the VideoLAN project