navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: VLC 1.x (up to 1.8) security issue

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
VideoLAN
And, this specific program:
VLC media player 1.x

This thread has been marked as locked.
Ascendor VLC 1.x (up to 1.8) security issue
Member 11th Apr, 2011 23:22
Ranking: 1
Posts: 8
User Since: 13th May, 2010
System Score: N/A
Location: DE
There's a new security issue with VLC, maybe you want to update PSI to detect it:

http://www.videolan.org/security/sa1103.html

mogs RE: VLC 1.x (up to 1.8) security issue
Expert Contributor 12th Apr, 2011 07:48
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 12th Apr, 2011 07:52
Hello.
Here's an article you might like to read :-

VLC Media Player Affected by Zero-Day Vulnerability

April 8th, 2011, 11:59 GMT| By Lucian Constantin

A critical zero-day vulnerability has been discovered in VLC media player and can potentially be exploited to execute arbitrary code on a user's system.

The flaw is located in libmodplug, a third-party library used to load and render music module files in multiple formats including .669, .amf, .ams, .dbm, .dmf, .dsm, .far, .it, .j2b, .mdl, .med, .mod, .mt2, .mtm, .okt, .psm, .ptm, .s3m, .stm, .ult, .umx, and .xmSound.

The libmodplug package is present by default in many Linux distributions, including Debian, Fedora, Ubuntu, Gentoo, as well as some media players.

"The vulnerability is caused due to a boundary error within the "CSoundFile::ReadS3M()" function in src/load_s3m.cpp, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted S3M file," vulnerability research vendor Secunia explains.

The flaw was discovered by M. Lucinskij and P. Tumenas of the SEC Consult Vulnerability Lab and was patched in libmodplug 0.8.8.2, released at the beginning of April.

However, the latest VLC binary packages, such as those for Windows and Mac OS X, still contain an outdated version of the library.

Because there is still no patch for VLC and proof-of-concept exploit code is publicly available, Secunia rates the vulnerability for the media player as highly critical.

More at :-
http://news.softpedia.com/news/VLC-Media-Player-Af...


And a clip from the Secunia Advisory :-


Vendor, Links, and Unpatched Vulnerabilities

Vendor VideoLAN

Product Link View Here (Link to external site)

Affected By 12 Secunia advisories
26 Vulnerabilities

Monitor Product Receive alerts for this product

Unpatched 17% (2 of 12 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting VLC media player 1.x, with all vendor patches applied, is rated Highly critical .

I notice that patches were issued 9/4/11....so I expect the psi detection rules will be amended shortly.



--
Was this reply relevant?
+1
-0
Anthony Wells RE: VLC 1.x (up to 1.8) security issue
Expert Contributor 12th Apr, 2011 11:40
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

If you read the VideoLAN advisory carefully , you will note that there are workarounds for existing versions ; as the Secunia PSI cannot monitor the correct application of "workarounds" , so Secunia does not consider them a security patch/update for it's display purposes .

The patched version 1.1.9 "will" fix the problem "when" it is released . I am sure that Secunia will update their SA 44022 and the PSI's detection rules accordingly .

By the Secunia rules , VLC player 1.1.8 shows as fully patched , as in , because all "available" patches are applied .

Thank you for posting this vulnerability info to the Forum for those who have not seen the SA 44022 :-

http://secunia.com/advisories/44022/


As I have often said , it is a shame that the PSI does not display this info as it does for browsers in the"Secure Browsing" module ; however commercial priorities take precedence . Ironic really , considering the VLC Player plug-in bug that affects the "secure browsing" display .

Hope that is clear .

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC 1.x (up to 1.8) security issue
Expert Contributor 13th Apr, 2011 11:45
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

The PSI now shows (on my PC) that version 1.1.8 is insecure and gives the link to version 1.1.9 ; have just completed the update and the "individual programme re-scan" confirmed a satisfactory update .

The plug-ins for all browsers continue to show as insecure in "secure browsing" and the Mozilla Firefox plug-in is still NOT selected by default ; so one would assume that the Firefox vulnerability of SA41810 has not been fixed and the PSI display bug will continue for now .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
mogs RE: VLC 1.x (up to 1.8) security issue
Expert Contributor 13th Apr, 2011 13:39
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Here's the latest from The Inquirer re VLC :-
VLC player updated to fix major security loophole

MP4 heap corruption now addressed
By Dean Wilson
Wed Apr 13 2011, 11:40
VIDEO SOFTWARE FIRM Videolan has released an update to its VLC player that addresses a major security loophole and a number of other issues.
The company become aware of a heap corruption problem in the media player last week, which could be caused by insufficient buffer size while parsing some MP4 files.
This could potentially be exploited by a third party to execute arbitrary code, which could crash VLC and potentially open the door to installation of malware on a victim's computer.
The bug affects versions 1.0.0 to 1.1.8 of the VLC media player, but the recently released VLC 1.1.9 fixes this loophole. This update follows only two weeks after the previous update to 1.1.8.
A number of other fixes are included in the update, many of which address interface and other issues for Mac OS X. Growl is also now bundled with VLC on Macs.
Additionally, the libmodplug plug-in has been updated to improve security on both Windows and Mac OS.


Read more: http://www.theinquirer.net/inquirer/news/2043164/v...


--
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+