VideoLAN Security Advisory 1004 - VideoLAN
VideoLAN, a project and a non-profit organization.

Security Advisory 1004

Summary           : Insufficient input validation in VLC TagLib plugin
Date              : August 2010
Affected versions : VLC media player versions 1.1.2 down to 0.9.0
ID                : VideoLAN-SA-1004
CVE reference     : CVE-2010-2937

Details

VLC fails to perform sufficient input validation when trying to extract some meta-informations about input media through ID3v2 tags. In the failure case, VLC attempt dereference an invalid memory address, and a crash will ensure.

Impact

In the failure case, VLC will dereference a memory address within the first page of its process virtual memory. In normal conditions, this will result in a segmentation fault (a general protection fault on Windows), and the process will terminate abruptly. This vulnerability alone is not sufficient for an attacker to execute arbitraty code or otherwise alter the flow of execution other than to crash the process.

In most usage scenarii, this will only cause user annoyance.

Threat mitigation

Exploitation of this issue requires the user to include a file in its playlist or to attempt to open it.

Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Solution

VLC media player 1.1.3 addresses this issue. Patches for VLC media player 1.1.x and 1.0.x are available from the corresponding official VLC source code repositories.

Credits

This vulnerability was reported by FortiGuard Labs.

References

The VideoLAN project
http://www.videolan.org/
FortiGuard Labs
http://www.fortinet.com/
Patch for VLC 1.1.2, 1.1.1, 1.1.0
commit 24918843e57c7962e28fcb01845adce82bed6516
Patch for VLC 1.0.6
commit 22a22e356c9d93993086810b2e25b59b55925b3a

History

29 July 2010
Vendor private notification.
9 August 2010
Initial fix.
11 August 2010
Initial security advisory.
Vendor patch for VLC 1.1.2 and 1.0.6 and development versions.
CVE reference assigned.
18 August 2010
VLC 1.1.3 release.
Rémi Denis-Courmont,
on behalf of the VideoLAN project