New critical vulnerabilities in VLC media player
A security update for the open source VLC media player fixes two critical vulnerabilities. Buffer overflows, which can be exploited by an attacker to inject code into a system and execute it with the user's privileges, can occur when parsing CUE image files and RealText subtitle files. However, the user must open a crafted file for this to happen.
VLC versions 0.5.0 to 0.9.5 are affected. Updating to version 0.9.6 should fix the bugs. For Windows, however, the latest version currently available to download is the old version 0.9.4. Alternatively, users can remove the affected plugins, libvcd_plugin.*
and libsubtitle_plugin.*
from the installation directory. Patches for older version are, according to the developers, available from the "o.9-bugfix" branch of the repository.
The development team behind VLC have been forced to patch multiple security vulnerabilities over the last year, most of which could be exploited to infect a computer. This does not, however, appear to have dented the application's popularity.
See Also:
- Buffer overflows in VLC RealText and CUE demuxers, advisory from VLC
- VLC media player RealText Processing Stack Overflow, advisory from Tobias Klein
- VLC media player cue Processing Stack Overflow, advisory from Tobias Klein
(djwm)