VLC Media Player HTML Subtitle Parsing Buffer Overflow

by Carol~ Moderator - 1/4/13 9:15 AM

In Reply to: VULNERABILITIES / FIXES - January 04, 2013 by Carol~ Moderator

VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities

Release Date : 2012-12-28
Last Update : 2013-01-04

Criticality level : Highly critical
Impact System access
Where : From remote
Solution Status: Vendor Patch

Software: VLC Media Player 2.x

Description:
Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to errors when parsing HTML subtitles in modules/codec/subsdec.c and can be exploited to cause buffer overflows via a specially crafted subtitle file.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 2.0.5.

Solution:
Update to version 2.0.5.

Provided and/or discovered by:
The vendor credits Kaveh Ghaemmaghami(coolkaveh).

Original Advisory:
VideoLAN-SA-1301:
http://www.videolan.org/security/sa1301.html

http://secunia.com/advisories/51692