In association with heise online

22 September 2009, 12:19

Vulnerabilities in VLC and FFmpeg

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The VLC developers have published the source code for version 1.0.2 of their open source media player, closing several critical security vulnerabilities. Versions 0.5.0 to 1.0.1 of the popular media player are vulnerable to a stack overflow that could lead to the remote execution of arbitrary code. For an attack to be successful, a victim must first open a specially crafted MP4, ASF or AVI file. Patches are available in the VLC source code repository 1.0-bugfix branch. Alternatively, the developers note that users can manually remove the MP4, AVI and ASF demultiplexer plug-ins (libmp4_plugin.*, libavi_plugin.*, libasf_plugin.*) from the plug-in installation directory.

In addition, security specialist Secunia is warning of several vulnerabilities in FFmpeg, a free tool and library collection used to record, convert and stream audio and video files in various formats. It's used by several popular open source software projects including the VLC media player, MPlayer, Perian and others. The vulnerabilities range from NULL-pointer dereferences, heap overflows, remote code execution and various processing issues to Denial of Service (DoS) problems. According to Secunia, the vulnerabilities have been confirmed in version 0.5 and other versions are also likely affected.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit