728 x 90

VLC Player hit by buffer overflow vulnerability

VLC Player hit by buffer overflow vulnerability

A security researcher has warned of a serious vulnerability in VideoLAN’s VLC Player (VLC), a popular media playback tool, for which no patch is yet available. First released in February 2001 and developed under the Lesser GPL V2.1+ licence, VideoLAN Player – most commonly referred to as VLC – is one of the most popular

A security researcher has warned of a serious vulnerability in VideoLAN’s VLC Player (VLC), a popular media playback tool, for which no patch is yet available.

First released in February 2001 and developed under the Lesser GPL V2.1+ licence, VideoLAN Player – most commonly referred to as VLC – is one of the most popular cross-platform media playback and streaming utilities around. Sadly, that very popularity makes it a ripe target for ne’er-do-wells – making a serious flaw discovered in the latest release all the more critical.

According to the bug’s entry on the Common Vulnerabilities and Exposures (CVE) project, the flaw allows malicious or otherwise badly-written code to over-read past the end of a heap-based buffer in the software’s MKV demuxing function. The US National Vulnerability Database, meanwhile, rates it as a CVSS 3.0 severity of 9.8 – giving it a top Critical mark, given that it can be used to crash the system, read private data, or even access private files.

The VideoLAN bug tracker shows that the issue was first reported four weeks ago, with a description of the vulnerability and a proof-of-concept MP4 exploit which triggers a crash through heap overflow. Initial tests have indicated that the vulnerability is present in all versions up to the latest 4.0 beta, including the latest stable 3.0.7.1 release; a comment made over the weekend by one of the software’s developers, however, indicates that the example exploit code ‘does not crash a normal release of VLC 3.0.7.1‘ – which goes against the scope outlined by the NVD.

Those interested in the bug can monitor for a fix and test their own installation on the VideoLAN bug tracker.



Source link

Susan E. Lopez
ADMINISTRATOR
PROFILE

Posts Carousel

Leave a Comment

Your email address will not be published. Required fields are marked with *

Latest Posts

Top Authors

Most Commented

Featured Videos