Security holes in VLC media player patched

The developers of the open source media player VLC have closed several security holes. These would have allowed attackers to inject and execute malicious code using manipulated Realtime data streams or crafted video files. The latest version, 0.8.6e, is available to download and fixes the flaws.

According to the VLC programmers' announcement, the current version no longer contains the error in decoding specially crafted real-time data streams (RTSP), which could cause a heap buffer overflow due to a string validation error. Two additional security holes existed in the subtitle dumuxer and in the user interface, which attackers also could have exploited to inject code.

The new version also remedies an error in the MP4 demultiplexer, which could overwrite memory arbitrarily using manipulated MP4 files, since the software did not check certain tags in the files prior to copying actions. This could have resulted in the execution of malicious code or cause the program to crash.

These errors are present in VLC media player versions up to and including 0.8.6d. VLC media player users should download and install version 0.8.6e. as soon as possible. Binary packages for Windows are available to download on the project homepage. Linux distributors are also expected to deliver updated packets soon.

See also:

• VLC media player chunk context validation error, security update by Core Security
• Format string vulnerability in the Web interface; Stack-based buffer overflow in the Subtitles demuxer; String buffer overflows in the Real RTSP demuxer, VLC developers' security advisory
• Arbitrary memory overwrite in the MP4 demuxer, VLC developers' security advisory
• videolan-announce VLC media player 0.8.6e, announcement by the VLC developers * Download page for the current version of the VLC media player

(mba)