navigation bar left navigation bar right

navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities

-

Release Date:  2012-12-28    Last Update:  2013-03-19    Views:  19,217

Secunia Advisory SA51692

Where:

You need to log in to view this

Impact:

You need to log in to view this

Solution Status:

You need to log in to view this

Software:

You need to log in to view this

CVE Reference(s):

You need to log in to view this

Description


Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to compromise a user's system


You need to log in to the Secunia Community to view the full description of this advisory

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities

User Message
edrub43 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 3rd Jan, 2013 15:40
Score: 2
Posts: 1
User Since: 3rd Jan 2013
System Score: N/A
Location: UK
Last edited on 3rd Jan, 2013 15:43
VLC Media player 2.0.4 (a recent update) is now being shown as needing updating on Secunia PSI. If you open this version of VLC, click on Help and then 'Check for updates', it will indicate that you are using the latest version (or mine did, at least). This is misleading and updating to the new version is critical in view of the advisory above. You need to enter "VLC Media player 2.0.5" on a search engine to access the correct download. Uninstall 2.0.4, install 2.0.5 and Secunia PSI is happy.
Was this reply relevant?
+2
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 7th Jan, 2013 15:54
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 7th Jan, 2013 15:59
I am confused! Is VLC 2.0.5 secure now or not?

The Secure Browsing in PSI 2 points out a vulnerability following SA51464, which was found in Dec 2012. This thread provides a link to the Secunia advisory SA51692, which is solved in VLC 2.0.5 (see original advisory VideoLAN-SA-1301).

May be it's by accident but both vulnerabilites were provided by Kaveh Ghaemmaghami.

How likely is it that both vulnerabilites are realy different? Also videoLan recommends using VLC 2.0.5 to overcome SA51692.

Additionally the german BSI recommends updating to vlc 2.0.5:
-> https://www.buerger-cert.de/archive?type=widtechni...

Does a solved SA51692 mean that SA51464 is solved also?

I think it would be helpfull to clear this.

Thanks
Klaus


Was this reply relevant?
+0
-0
mogs RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Expert Contributor 7th Jan, 2013 16:08
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@klausus02

Reading the following thread might help you :-
http://secunia.com/community/forum/thread/show/136...

Regards.........

--
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 7th Jan, 2013 19:06
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@mogs

Thank you for the hint. But it doesn't help me. The problem is not the VLC Player itself, it's the browser plugin. This is shows as unsecure in the Secure Browsing Tab of PSI 2 (SA51464).

VLC 2.0.5 comes with the same version of the plugin (npvlc.dll, version 2.0.2) as VLC 2.0.4. Although videoLan has writen in their Security Advisory 1203 that VLC 2.0.5 addresses the issue. How do you understand what is writen in VideoLan Security Advisory 1203 ?

Am I wrong?

Thanks


Was this reply relevant?
+0
-0
mogs RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Expert Contributor 7th Jan, 2013 21:31
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@klausus02

I can see what you mean.....SA51464

The vulnerability is confirmed in version 2.0.4. Other versions may also be affected.


Solution
No official solution is currently available.

It may be that the Secunia detection rules need to be amended for the plug-in.....Hopefully someone from Support will pick up on this thread in the morning and be able to clarify the position regarding.


--
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 8th Jan, 2013 07:08
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@mogs

Yesterday I posted a question in the videolan forum conserning SA51464.

The answer can be read here:
http://forum.videolan.org/viewtopic.php?f=14&t=107...

So. It looks like the vlc-plugin should be secure!

I also think that the detection rules for the plugin have to be checked.

--
Was this reply relevant?
+0
-0
E.Jeppesen RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Secunia Official 8th Jan, 2013 10:42
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
As stated in SA51464 (http://secunia.com/advisories/51464) VLC Media Player 2.x is currently affected by an unpatched vulnerability. Because it is possible to install a browser plugin during the installation of the program, VLC Media Player 2.x will show up in Secure Browsing in PSI 2.

Please ask if you feel that anything else needs to be cleared up.
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 8th Jan, 2013 11:20
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@ E.Jeppesen

sorry that I insist..

.. just in order to guard against misunderstandings ...

Would you agree that we are talking about SA51464? If so then please follow
the provided link
http://forum.videolan.org/viewtopic.php?f=14&t=107...

to read the statement of Jean-Baptiste Kemp form videoLan.

He states that SA51464 has nothimg to do with the browser plugin. Could it be
possible that a mistake has slipped in somewere inside the chain ???

---
Was this reply relevant?
+0
-0
E.Jeppesen RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Secunia Official 8th Jan, 2013 13:17
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
klausus02, you are very welcome.
Yes, I believe we are talking about SA51464.

Whenever VLC Media Player 2.x is detected by the PSI, it will show up on the Secure Browsing page in PSI 2. The PSI does not have functionality to determine which part of the program is vulnerable, if it is the plugin or some other part. It will simply inform you that the program is vulnerable and you can then read the advisory for more information.
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 8th Jan, 2013 16:34
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Ok.

My PSI 2 readings are:

- VLC Media Player version 2.0.5 is secure (in Scan Results)
and
- VLC PlugIn is shown as unsecure in Secure Browsing because of SA51464.

When SA51464 has nothing to do with VLC PlugIn (see my link) but with normal VLC
why is SA51464 shown inside Secure Browsing at all and not inside Scan Results?

Btw: the vulnerability shown inside Secure Browsing points to SA51692 when double clicking
the entry. And SA51692 is fixed following the link http://www.videolan.org/security/sa1301.html
writen in SA51692.

Do you understand my confusion?
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 9th Jan, 2013 07:08
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 9th Jan, 2013 07:08
@ E.Jeppesen

!! NEW INFORMATION !!

Yesterday Jean-Baptiste Kemp form videoLan. confirmed that the vulnerability
described in SA51464 is fixed in VLC 2.0.5:

-> http://forum.videolan.org/viewtopic.php?f=14&t=107...

Can this be seen as an official statement by videoLan ? In this case the solution status of SA51464 should be set to 'Vendor Patch' and all advisories were currently fixed in VLC 2.0.5.

... or am I too hasty...?

Was this reply relevant?
+0
-0
E.Jeppesen RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Secunia Official 9th Jan, 2013 12:47
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
@klausus02
I understand the confusion and that this may not seem completely logical, but the reason is as explained that the PSI does not have functionality to determine which part of a detected program is vulnerable. When VLC Media Player 2.x is detected by the PSI it will show up on the Secure Browsing page in PSI 2. It does that because VLC Media Player 2.x offers a browser plugin.

As for the link issue on the Secure Browsing page I have tried to recreate it but without success. In my test it all worked as intended and I was correctly linked to SA51464.

If changes should be needed to SA51464 then I am sure our Research Team will do so. Until then I recommend to consider our advisory as correct.

It could also be useful to see VideoLANís own list of advisories. If the vulnerability described in SA51464 has been fixed, one might expect them to mention this in their own advisories.
http://www.videolan.org/security/
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 9th Jan, 2013 17:04
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@ E.Jeppesen
I discussed with Jean-Baptiste Kemp about your idea to mention in videolan advisories that SA51464 is fixed.

But this seemed not to be a good choice....

You can read his reaction here at the end of the threat:
http://forum.videolan.org/viewtopic.php?f=14&t=107...

I feel there is some troubled relationship between Secunia and VideoLAN...

But this is not my business.

So if you see a chance to change SA51464 i would be delighted.
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 9th Jan, 2013 18:34
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 9th Jan, 2013 18:36
@E. Jeppesen

addition

... google is your friend....

I found the following note conserning SA51464:
http://permalink.gmane.org/gmane.os.netbsd.devel.p...

This lib is used from the vlc plugin.

No idea why Jean-Baptiste Kempf didn't give me the hint. May I had forgotten.

Hope that helps.
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Expert Contributor 10th Jan, 2013 01:03
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Jan, 2013 01:19
Hello klausus02 ,

Even though Emil has answered your queries , perhaps , you should (re)read earlier VLC threads as per :-

http://secunia.com/community/forum/all_threads/?fo...

and including your own contribution here :-

http://secunia.com/community/forum/thread/show/599...

You might remember that : 1) the "problem" area is of the PSI not being able to distinguish whether the the plug-in(s) are loaded at installation and/or "deselected" as a security workaround and that : 2) the VLC team were unable to help Secunia identify the situation with greater accuracy and that : 3) they were (at the time) unable to "patch" the Mozilla plug-in .

It would seem that the latest VLC "team" is "not willing/unable" to satisfy Secunia that SA51464 is patched ; so as has been described "ad nauseum" in those earlier threads , no patch "available" for this VLC SA = "secure/up to date" on "Scan Results" page but = "unpatched/no vendor solution" in the (for "advanced" users) "Secure Browsing" module of the PSI version 2.x . The situation is not likely to change until your interlocutor at the VLC Forum decides to get his act together .

Perhaps you could get him to be more articulate in his respons(es) to you ?!

EDIT:PS: as per Emil , I also have the correct SA link in my version 2.0.0.3003 secure browsing module .

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 10th Jan, 2013 15:09
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 10th Jan, 2013 15:10
Hello Anthony,

I suggested Videolan to discuss the different positions with Secunia directly.

PS:
In my version 2.0.0.3003 I also see a link to SA51464 in Secure Browsing in column 'Secunia Advisory'.

And when I double click ths VLC-entry there is an Online reference to SA51692 (which is fixed)!!

.. regards ...
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 11th Jan, 2013 17:41
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 11th Jan, 2013 17:42
Hello Anthony,

the discussion with videolan about SA51464 is a delicate issue.
It seems that the guys at vdeolan are annoyed about Secunia for what ever.

Allow me to make a suggestion.
I think that's not necessarily your task.... but
only for this case... is there a way for Secunia initializing contact with VideoLan?
Just to pour oil on the troubled water... ? No one should lose face.

Evidence suggests that SA51464 could have been wrongly reported against
vlc and that SA51464 be fixed:

http://permalink.gmane.org/gmane.os.netbsd.devel.p...

-- regards
Klaus
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 14th Jan, 2013 14:59
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@ E.Jeppesen
@ Anthony

In his definitively last statement Jean-Baptiste Kemp form videolan says:

"... we already said this issue was fixed. 10 times.
THEIR job is to do their documentation, complain to them.."

see http://forum.videolan.org/viewtopic.php?f=14&t=107...


Is this so?

I can't do anymore for this topic. It's really kindergarten-like.

Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 5th Feb, 2013 17:07
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 6th Feb, 2013 11:11
NEW FINDINGS

@Anthony
@E. Jeppesen

After my last post in this thread I was annoyed about Jean-Baptiste Kemp's
reactions and I got tiered of the topic.

But at the end of the day I did a last try...

As you know the biggest problem is to get proper information from videoLan.
And the release notes of VLC 2.0.5 give only a slight idea about what was fixed.
http://www.videolan.org/vlc/releases/2.0.5.html

under "2.0.5 specific changges" it is written:
"Fix MKV, SWF, AIFF and subtitles demuxer crashes".


So, I helped myself and now, after tedious google-search I have found strong
evidence that SA51464 was fixed with VLC 2.0.5.

Let's have a look at what I discovered:

1.
SA51464 is based on a report by Kaveh Ghaemmaghami on 07.12.2012.
The "Original Advisory"-link of SA51464 refers to
http://seclists.org/fulldisclosure/2012/Dec/96

2.
Concurrently there exists the videoLan-ticket #7860 reported on 07.12.2012
by a guy named 'coolkaveh':
https://trac.videolan.org/vlc/ticket/7860

3.
The text inside ticket #7860 (https://trac.videolan.org/vlc/ticket/7860)

is nearly identical to the text inside the "Original Advisory"-link of SA51464
(http://seclists.org/fulldisclosure/2012/Dec/96) .

4.
Also, the links to the 'prove of concept' is the same in both links
http://seclists.org/fulldisclosure/2012/Dec/96

and

https://trac.videolan.org/vlc/ticket/7860 .

This shows that Kaveh Ghaemmaghami and 'coolkaveh' are the same person!
And it concludes that SA51464 and videoLan ticket #7860 are dealing with
the same issue !!!

Additionally there exits:
http://freshbsd.org/commit/pkgsrc/447ea50b9f2dfc0e...

This link gives two very important hints!

a. the description:
"add patch from upstream to fix possible memory allocation problems
in the SWF demuxer, fixes SA51464 originally (wrongly) rteported
against vlc"

b. scrolling down a bit the follwing line:
"see https://trac.videolan.org/vlc/ticket/7860"

Anyway, following the 'Change History' of videoLan'S #7860
(https://trac.videolan.org/vlc/ticket/7860)

it can be read that a fix for ffmpeg was released on 10.12.2012 by Micheal Niedermeyer from videoLan with the title "swfdec: check lens validity".

Then, VLC 2.0.5 was released on 15.12.2012.

Therefore I'm convinced that SA51464 has to be seen as fixed with VLC 2.0.5.

What do you think about my line of argument? Is this sufficient to close SA51464?
Or should this now be addressed to your Research Team ?

Thanks a lot


Was this reply relevant?
+2
-0
E.Jeppesen RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Secunia Official 6th Feb, 2013 12:12
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Hi klausus02
Thank you for all the information you have provided. Our researchers are currently investigating whether an update to our advisory should be needed.
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 7th Feb, 2013 07:49
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Thank you. I hope they will do so...
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 13th Feb, 2013 07:33
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 13th Feb, 2013 07:34
@ E.Jeppesen

(unknown source)

... Our researchers are currently investigating whether an update to our advisory should be needed.


Any news form your researchers about SA51464...?

Regards ...
Was this reply relevant?
+0
-0
E.Jeppesen RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Secunia Official 18th Feb, 2013 13:41
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Hi Klaus
I have no further information than what I have previously supplied.
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 19th Feb, 2013 06:46
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 19th Feb, 2013 07:47
Thank you for your response.

Two days ago I posted a note to the research team in http://secunia.com/advisories/51464/ .

Hopefully at least one of the researchers will be going to read this. Of course I know SA51464 is not that important.. but a bit difficult.... Until now there isn't any reaction yet.

Regards...

Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Member 26th Feb, 2013 14:01
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 26th Feb, 2013 14:04
@ E.Jeppesen

Tree weeks ago I posted 'NEW FINDINGS' about SA51464.

How are the investigations of your researchers going on? I am afraid that the solution for SA51464 could fall into oblivion....

Was this reply relevant?
+0
-0
E.Jeppesen RE: VLC Media Player HTML Subtitle Parsing Buffer Overflow Vulnerabilities
Secunia Official 26th Feb, 2013 14:56
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Hi Klaus
I still have no further information than what I have previously supplied. I will update this thread if I should receive any. Until then I am closing this thread.

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+