Vulnerabilities in VLC and FFmpeg
The VLC developers have published the source code for version 1.0.2 of their open source media player, closing several critical security vulnerabilities. Versions 0.5.0 to 1.0.1 of the popular media player are vulnerable to a stack overflow that could lead to the remote execution of arbitrary code. For an attack to be successful, a victim must first open a specially crafted MP4, ASF or AVI file. Patches are available in the VLC source code repository 1.0-bugfix branch. Alternatively, the developers note that users can manually remove the MP4, AVI and ASF demultiplexer plug-ins (libmp4_plugin.*
, libavi_plugin.*
, libasf_plugin.*
) from the plug-in installation directory.
In addition, security specialist Secunia is warning of several vulnerabilities in FFmpeg, a free tool and library collection used to record, convert and stream audio and video files in various formats. It's used by several popular open source software projects including the VLC media player, MPlayer, Perian and others. The vulnerabilities range from NULL-pointer dereferences, heap overflows, remote code execution and various processing issues to Denial of Service (DoS) problems. According to Secunia, the vulnerabilities have been confirmed in version 0.5 and other versions are also likely affected.
See also:
- Stack overflow in MPA, AVI and ASF demuxer, security advisory from VLC.
- ffmpeg Multiple Vulnerabilities, security advisory from Secunia.
(crve)