VideoLAN, a project and a non-profit organization.

Security Advisory 1108

Summary           : Heap corruption in VLC TiVo demuxer
Date              : December 2011
Affected versions : VLC media player 1.1.12 down to 0.9.0
ID                : VideoLAN-SA-1108
CVE reference     : CVE-2012-0023

Details

When parsing the header of an invalid TY file, the heap might be corrupted.

Impact

If successful, a malicious third party could crash the VLC media player process. Arbitrary code execution might be possible on some systems, though this is unconfirmed.

Threat mitigation

Exploitation of this issue requires the user to explicitly open a specially crafted file.

Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Alternatively, the TY demux plugin (libty_plugin.*) can be removed manually from the VLC plugin installation directory. This will prevent opening of TiVo files.

Solution

VLC media player 1.1.13 addresses this issue. Patches for older versions are available from the official VLC source code repository vlc-1.1.git.

Credits

This vulnerability was reported by Clement Lecigne.

References

The VideoLAN project
http://www.videolan.org/
VLC official GIT repository
http://git.videolan.org/?p=vlc.git

History

20 December 2011
Vendor notification.
Patch for VLC development version, 1.2 and 1.1 trees.
Initial security advisory.
20 Decemer 2011
VLC media player 1.1.13 released.
Rémi Denis-Courmont,
on behalf of the VideoLAN project