---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: VLC Media Player Multiple Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA36762 VERIFY ADVISORY: http://secunia.com/advisories/36762/ DESCRIPTION: Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system. 1) A boundary error exists within the "ASF_ObjectDumpDebug()" function in modules/demux/asf/libasf.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted ASF file. 2) A boundary error exists within the "AVI_ChunkDumpDebug_level()" function in modules/demux/avi/libavi.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted AVI file. 3) A boundary error exists within the "__MP4_BoxDumpStructure()" function in modules/demux/mp4/libmp4.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted MP4 file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. Vulnerability #2 is confirmed in version 1.0.1. Other versions may also be affected. SOLUTION: Do not process untrusted files with the application. Fixed in the GIT repository: http://git.videolan.org/?p=vlc.git;a=commit;h=dfe7084e8cc64e9b7a87cd37065b59cba2064823 http://git.videolan.org/?p=vlc.git;a=commit;h=861e374d03e6c60c7d3c98428c632fe3b9e371b2 http://git.videolan.org/?p=vlc.git;a=commit;h=c5b02d011b8c634d041167f4d2936b55eca4d18d PROVIDED AND/OR DISCOVERED BY: The vendor credits Sebastian Apelt of Siberas. ORIGINAL ADVISORY: http://git.videolan.org/?p=vlc.git;a=commit;h=dfe7084e8cc64e9b7a87cd37065b59cba2064823 http://git.videolan.org/?p=vlc.git;a=commit;h=861e374d03e6c60c7d3c98428c632fe3b9e371b2 http://git.videolan.org/?p=vlc.git;a=commit;h=c5b02d011b8c634d041167f4d2936b55eca4d18d ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------