VideoLAN, a project and a non-profit organization.

Security Advisory 1001

Summary           : Clam AntiVirus input validation error
Date              : February 2010
Affected versions : VLC media player 1.0.5 for Windows
                    Clam AntiVirus all versions
ID                : VideoLAN-SA-1001
CVE reference     : N/A

Details

Clam AntiVirus incorrectly claims that the x86 SSE2-accelerated I:4:2:2 chroma conversion plugin as being a computer trojan. This affects builds of VLC media player with recent versions of the MingW compilation toolchain.

Impact

Copy, installation and/or use of VLC media player or applications based on LibVLC may be impossible.

Threat mitigation

This issue only affects users of Clam AntiVirus or anti-virus software using the same virus database.

Solution

Remove Clam AntiVirus before downloading VLC media player.

An anti-virus database has to be up-to-date to be of much use. Around 20% of tested antivirus incorrectly detected as VLC 1.0.5 as a trojan at the time of release. Kaspersky Anti-Virus was updated within one business day. The VideoLAN project advises against the use of Clam AntiVirus. Users should not rely on a security software which fails to be updated within a full month period (to date).

Credits

This vulnerability was reported by many different people individiually.

References

The VideoLAN project
http://www.videolan.org/

History

28 January 2010
VLC media player 1.0.5 released.
15 February 2010 (probably earlier)
Vendor notification.
28 February 2010
Initial security advisory.

Rémi Denis-Courmont,
on behalf of the VideoLAN project