Summary : NULL dereference vulnerability in HTTP and RSTP server Date : 06 October 2011 Affected versions : VLC media player 1.1.11 and ealier ID : VideoLAN-SA-1107 CVE references : CVE-2011-3333
VLC media player suffers from a NULL dereference vulnerability in the HTTP and RTSP server component.
If successful, a malicious third party could crash the server process. Arbitrary code execution within the context of VLC media player is not believed possible.
Exploitation of those bugs requires the user to explicitly start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions.
Where possible, limit access to the VLC server to trusted IP addresses.
Alternatively, configure a deep inspection firewall to block malformed HTTP and RTSP requests.
VLC media player 1.1.12 addresses this issue. A source code patch is also available as an alternative.
This vulnerability was discovered by Jouni Knuutinen from Codenomicon Oy and coordinated by Antti Kiuru from the CERT-FI security unit at the Finnish Communications Regulatory Authority (FICORA).