VLC Media Player Buffer Overflow in MP4A Packetizer Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1029120|
SecurityTracker URL: http://securitytracker.com/id/1029120
(Links to External Site)
Date: Oct 1 2013
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2.0.8; possibly other versions|
A vulnerability was reported in VLC Media Player. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create a specially crafted file that, when loaded by the target user, will trigger a buffer overflow in the mp4a packetizer and execute arbitrary code on the target system. The code will run with the privileges of the target user.
Laurent Butti reported this vulnerability.
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.|
The vendor has issued a fix (2.0.9, 2.1.0).|
The vendor's advisory is available at:
Vendor URL: videolan.org/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Re: [oss-security] CVE request: VLC|
-----BEGIN PGP SIGNED MESSAGE-----
On 09/30/2013 03:31 PM, Laurent Butti wrote:
> I have found a security issue in vlc 2.0.8 which was reported to
> VLC team and fixed in both 2.0.9 and 2.1.0 (as "Fix buffer overflow
> in the mp4a packetizer").
> Here are the commit log and changelog:
> Could a CVE be assigned?
> Thanks, Laurent Butti.
Thanks, please use CVE-2013-4388 for this issue.
Also do you know anything about:
* Add protection against several potential heap buffer overflow in
how potential are we talking?
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
-----END PGP SIGNATURE-----