Wednesday, October 26, 2011

Critical vulnerability found in VLC player

Critical vulnerability found in VLC player


A critical vulnerability is found in the latest version of VLC media player. These are heap corruption vulnerabilities. VLC p;ayer is a powerful cross-platform multimedia player. It is capable of playing most media formats, without the need to install additional codecs.
These flaws were reported by Dan Rosenberg from Virtual Security Research (VSR). The VLC media player includes a decoder for the relatively rarely used CD+G format; this has two critical
heap corruption vulnerabilities.If you use VLC to play manipulated video of this format, it could cause heap corruption. This could in turn be exploited to inject and execute malicious code. The bug has already been eliminated in the corresponding repository, but not in the the official binaries of the VLC player. 
A source code patch for VLC version 1.1.5 is available from Git. Since the code of the decoder has undergone only minor changes since previous versions of VLC, the patch can probably be used to fix the vulnerability in older versions prior to 1.1.5.

No comments: