Critical vulnerability in VLC player
The VLC media player includes a decoder for the relatively rarely used CDG format; this has two critical heap corruption vulnerabilities. Using VLC to play manipulated video in this format could cause heap corruption, which could in turn be exploited to inject and execute malicious code. The bug has already been eliminated in the corresponding repository, but not in the the official binaries of the VLC player. A source code patch for VLC version 1.1.5 is available from Git.
Since the code of the decoder has undergone only minor changes since previous versions of VLC, the patch can probably be used to fix the vulnerability in older versions prior to 1.1.5.
Update (24-01-11): The VLC developers have now issued an update, fixing the CDG heap problems and with one or two other fixes - VLC Media Player 1.1.6 fixes critical vulnerabilities.
- VLC Media Player 1.1.5 fixes Windows vulnerability, a report from The H.