VideoLAN, a project and a non-profit organization.

Security Advisory 0803

Summary           : Buffer overflows in multiple modules
Date              : 13 April 2008
Affected versions : VLC media player 0.8.6e and earlier
ID                : VideoLAN-SA-0803
CVE reference     : CVE-2008-0073, CVE-2008-1489, CVE-2008-1768, CVE-2008-1769

Details

VLC media player's following modules suffer from arbitrary memory overwrite vulnerabilities when using specially crafted (invalid) input streams / files: Real RTSP and Real media demuxers, MP4 demuxer, Cinepak decoder.

Impact

If successful, a malicious third party could trigger the execution of arbitrary code within the context of the running instance or terminate the application unexpectedly.

Threat mitigation

Exploitation of the MP4 / Real Media demuxer or the Cinepak decoder issues requires the user to explicitly open specially crafted files or streams.

Exploitation of the Real RTSP problems requires the user to explicitly open streams provided by malicious third parties.

Workarounds

The user is asked to open Real RTSP / Real Media streams and MP4 files as well as files containing Cinepak video streams from trusted content providers only. In case of uncertainess, it is recommended not to open this kind of streams or files. RTSP streams can easily be identified by the rtsp prefix of their URL/MRL, while the MP4 container file type is recognizable by the mp4 suffix. Cinepak encoded video streams are usually found in MOV and MP4 container files only, which may be perceived by their mp4 and mov suffixes. Real Media files usually include ram, ra or rm suffixes.

Solution

VLC media player 0.8.6f addresses these issues and introduces further usability fixes.

Pre-compiled packages are available at the usual download locations.

Credits

The Real RTSP demuxer, Real media demuxer, MP4 demuxer and Cinepak codec vulnerabilities were discovered by Drew Yao of Apple Product Security.

References

The VideoLAN project
http://www.videolan.org/

History

19 April 2008
Addition of further CVE references to this SA
2 April 2008
VLC 0.8.6f bugfix release
March 2008
Source code fixes for VLC 0.8.6f and development tree
Vulnerability reports
Felix Paul Kühne,
on behalf of the VideoLAN project