VideoLAN, a project and a non-profit organization.

Security Advisory 0804

Summary           : Arbitrary file overwrite and other abuses
                    through M3U parser
Date              : November 2007
Affected versions : VLC media player 0.8.6c and earlier
ID                : VideoLAN-SA-0804
CVE reference     : CVE-2007-6683


Using VLC media player's M3U Playlist Parser could lead to arbitrary file overwrite and other unwanted action within the security context of the user running VLC.


If successful, a malicious third party could misuse the Stream Output features of VLC media player's the M3U Playlist Parser to write arbitrary data to any accessible file system locations, send packets on the network, etc.

Threat mitigation

Exploitation of these design issues requires the user to open a specially crafted M3U playlist file.


The user should not use VLC media player's --m3u-extvlcopt setting, which enables parsing of exploitable playlist item options. This option is only found in some 0.8.6 releases; from VLC 0.9.0, unsafe playlist extensions are always ignored.


VLC media player 0.8.6d addresses these design issues and introduces further usability fixes.


These vulnerabilities were discovered internally by multiple members of the VideoLAN Team, notably Damien Fouilleul and Rémi Denis-Courmont.


The VideoLAN project
GitLab issue #1371


21 January 2009
10 May 2008
Added CVE ID reference
30 November 2007
VLC 0.8.6d bugfix release
20 November 2007
Patch provided against VLC 0.8.6 source code
Patch applied to VLC development tree
Ticket opened
Rémi Denis-Courmont, Damien Fouilleul, Felix Paul Kühne,
on behalf of the VideoLAN project