Forum Thread: VLC 1.x (up to 1.8) security issue

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
VideoLAN
And, this specific program:
VLC media player 1.x

This thread has been marked as locked.
Ascendor VLC 1.x (up to 1.8) security issue
Member 11th Apr, 2011 23:22
Ranking: 1
Posts: 8
User Since: 13th May, 2010
System Score: N/A
Location: DE
There's a new security issue with VLC, maybe you want to update PSI to detect it:

http://www.videolan.org/security/sa1103.html

mogs RE: VLC 1.x (up to 1.8) security issue
Member 12th Apr, 2011 07:48
Score:
Posts: 6,279
User Since: 22nd Apr 2009
System Score: N/A
Location: UK
Last edited on 12th Apr, 2011 07:52
Hello.
Here's an article you might like to read :-

VLC Media Player Affected by Zero-Day Vulnerability

April 8th, 2011, 11:59 GMT| By Lucian Constantin

A critical zero-day vulnerability has been discovered in VLC media player and can potentially be exploited to execute arbitrary code on a user's system.

The flaw is located in libmodplug, a third-party library used to load and render music module files in multiple formats including .669, .amf, .ams, .dbm, .dmf, .dsm, .far, .it, .j2b, .mdl, .med, .mod, .mt2, .mtm, .okt, .psm, .ptm, .s3m, .stm, .ult, .umx, and .xmSound.

The libmodplug package is present by default in many Linux distributions, including Debian, Fedora, Ubuntu, Gentoo, as well as some media players.

"The vulnerability is caused due to a boundary error within the "CSoundFile::ReadS3M()" function in src/load_s3m.cpp, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted S3M file," vulnerability research vendor Secunia explains.

The flaw was discovered by M. Lucinskij and P. Tumenas of the SEC Consult Vulnerability Lab and was patched in libmodplug 0.8.8.2, released at the beginning of April.

However, the latest VLC binary packages, such as those for Windows and Mac OS X, still contain an outdated version of the library.

Because there is still no patch for VLC and proof-of-concept exploit code is publicly available, Secunia rates the vulnerability for the media player as highly critical.

More at :-
http://news.softpedia.com/news/VLC-Media-Player-Af...


And a clip from the Secunia Advisory :-


Vendor, Links, and Unpatched Vulnerabilities

Vendor VideoLAN

Product Link View Here (Link to external site)

Affected By 12 Secunia advisories
26 Vulnerabilities

Monitor Product Receive alerts for this product

Unpatched 17% (2 of 12 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting VLC media player 1.x, with all vendor patches applied, is rated Highly critical .

I notice that patches were issued 9/4/11....so I expect the psi detection rules will be amended shortly.



--
Was this reply relevant?
+1
-0
Anthony Wells RE: VLC 1.x (up to 1.8) security issue
Expert Contributor 12th Apr, 2011 11:40
Score: 2500
Posts: 3,387
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

If you read the VideoLAN advisory carefully , you will note that there are workarounds for existing versions ; as the Secunia PSI cannot monitor the correct application of "workarounds" , so Secunia does not consider them a security patch/update for it's display purposes .

The patched version 1.1.9 "will" fix the problem "when" it is released . I am sure that Secunia will update their SA 44022 and the PSI's detection rules accordingly .

By the Secunia rules , VLC player 1.1.8 shows as fully patched , as in , because all "available" patches are applied .

Thank you for posting this vulnerability info to the Forum for those who have not seen the SA 44022 :-

http://secunia.com/advisories/44022/


As I have often said , it is a shame that the PSI does not display this info as it does for browsers in the"Secure Browsing" module ; however commercial priorities take precedence . Ironic really , considering the VLC Player plug-in bug that affects the "secure browsing" display .

Hope that is clear .

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC 1.x (up to 1.8) security issue
Expert Contributor 13th Apr, 2011 11:45
Score: 2500
Posts: 3,387
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

The PSI now shows (on my PC) that version 1.1.8 is insecure and gives the link to version 1.1.9 ; have just completed the update and the "individual programme re-scan" confirmed a satisfactory update .

The plug-ins for all browsers continue to show as insecure in "secure browsing" and the Mozilla Firefox plug-in is still NOT selected by default ; so one would assume that the Firefox vulnerability of SA41810 has not been fixed and the PSI display bug will continue for now .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
mogs RE: VLC 1.x (up to 1.8) security issue
Member 13th Apr, 2011 13:39
Score:
Posts: 6,279
User Since: 22nd Apr 2009
System Score: N/A
Location: UK


--
Was this reply relevant?
+1
-0

This thread has been marked as locked.