VideoLAN, a project and a non-profit organization.

Security Bulletin VLC-iOS 3.5.9

Summary           : Vulnerability fixed in VLC media player
Date              : June 2024
Affected versions : VLC-iOS 3.5.7 and earlier
ID                : VideoLAN-SB-VLC-iOS-359

Details

A potential path traversal via the included WiFi File Sharing feature could be used for arbitrary data uploads by malicious parties on the local network to storage locations invisible to the user within the application context.

Impact

If successful, a malicious third party could trigger a denial-of-service of the device to due exceeeded storage space or implications of existance of arbitrary data. No read access was possible to third party. No write access outside the application container was possible.

We have not seen exploits through this vulnerability.

The tvOS port of the app was not affected.


Threat mitigation

Exploitation of this issue requires the user to explicitly start WiFi File Sharing on a local network with potential malicious actors.

Workarounds

The user should refrain from enabling WiFi File sharing on local networks with potential malicious actors until the update is installed.

Solution

VLC-iOS 3.5.9 addresses the issue.

Credit

Reported by Allar Lauk of TalTech University (Estonia)

References

The VideoLAN project
http://www.videolan.org/
VLC-iOS GIT repository
https://code.videolan.org/videolan/vlc-ios.git