In association with heise online

23 January 2011, 18:00

Critical vulnerability in VLC player

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The VLC media player includes a decoder for the relatively rarely used CDG format; this has two critical heap corruption vulnerabilities. Using VLC to play manipulated video in this format could cause heap corruption, which could in turn be exploited to inject and execute malicious code. The bug has already been eliminated in the corresponding repository, but not in the the official binaries of the VLC player. A source code patch for VLC version 1.1.5 is available from Git.

Since the code of the decoder has undergone only minor changes since previous versions of VLC, the patch can probably be used to fix the vulnerability in older versions prior to 1.1.5.

Update (24-01-11): The VLC developers have now issued an update, fixing the CDG heap problems and with one or two other fixes - VLC Media Player 1.1.6 fixes critical vulnerabilities.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit