In association with heise online

28 February 2008, 13:48

Security holes in VLC media player patched

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the open source media player VLC have closed several security holes. These would have allowed attackers to inject and execute malicious code using manipulated Realtime data streams or crafted video files. The latest version, 0.8.6e, is available to download and fixes the flaws.

According to the VLC programmers' announcement, the current version no longer contains the error in decoding specially crafted real-time data streams (RTSP), which could cause a heap buffer overflow due to a string validation error. Two additional security holes existed in the subtitle dumuxer and in the user interface, which attackers also could have exploited to inject code.

The new version also remedies an error in the MP4 demultiplexer, which could overwrite memory arbitrarily using manipulated MP4 files, since the software did not check certain tags in the files prior to copying actions. This could have resulted in the execution of malicious code or cause the program to crash.

These errors are present in VLC media player versions up to and including 0.8.6d. VLC media player users should download and install version 0.8.6e. as soon as possible. Binary packages for Windows are available to download on the project homepage. Linux distributors are also expected to deliver updated packets soon.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit