VideoLAN executes code from media files
The developers of the open-source VideoLAN Client (VLC) software have released Version 0.8.6c, which eliminates some vulnerabilities when playing back crafted media files. They explain in a security report that the support modules for the formats Ogg Vorbis and Theora, CD Digital Audio (CDDA) and for the Service Announce Protocol (SAP), contain so-called format string vulnerabilities.
This can allow crafted .ogg/.ogm files, crafted CDDB entries and, for example, network packets in the Service Announce Protocol/Service Discovery Protocol sent to the broadcast address of a local net, to inject malicious program code, which can then be executed with user privileges. The VLC programmers therefore classify the vulnerabilities as critical and recommend updating the installed version with the current Version 0.8.6c.
- Download the current VLC version for several platforms
- Format string injection in Vorbis, Theora, SAP and CDDA plugins, security report from VideoLAN developers