VLC sårbarhet

[brainslicer]

uppdatera till 0.8.6d

 

http://www.videolan.org/

VLC media player versions 0.8.6 to 0.8.6c suffer from a security vulnerability in the ActiveX plugin. More technical details are available in our advisory.

An updated release of VLC is available which includes a few other fixes as well, notably better compatibility with MacOSX 10.5 Leopard. The full list of changes can be found here.

We strongly recommend all users to update to this new version.

Note that early and broken Win32 binaries have been distributed by third party websites. Make sure to download from an official VideoLAN mirror to avoid disappointment.

[-larsson-]

ty

[brainslicer]

samma från sitic nu:

VLC Media Player ActiveX Plugin and FLAC Vulnerabilities

Secunia Advisory: SA27878 Release Date: 2007-12-03

Critical: Highly critical

Impact: DoS

System access

Where: From remote

Solution Status: Vendor Patch

 

 

Description:

Some vulnerabilities have been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system.

 

1) An error within the ActiveX plugin of VLC Media Player can be exploited to overwrite certain memory zones and execute arbitrary code when a user e.g. visits a malicious website.

 

Note: This affects the Windows versions only.

 

2) Some vulnerabilities are caused due to the use of a vulnerable version of the FLAC library, which contains multiple integer overflows.

 

For more information:

SA27210

 

Note: This may affect the Windows and Mac OS X binaries only.

Solution:

Update to version 0.8.6d.

http://www.videolan.org/vlc/

[ulaf]

Tack

[brainslicer]

Nya sårbarheter i VLC:

 

VLC Media Player Multiple Vulnerabilities

Secunia Advisory: SA28233 Release Date: 2007-12-25

Critical: Highly critical

Impact: System access

Where: From remote

Solution Status: Vendor Workaround

Software:VLC media player 0.x

 

Description:

Some vulnerabilities have been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

 

1) Boundary errors in the "ParseMicroDvd()", "ParseSSA()", and "ParseVplayer()" functions when handling subtitles can be exploited to cause stack-based buffer overflows.

 

2) A format string error in the web interface listening on port 8080/tcp (disabled by default) can be exploited via a specially crafted HTTP request with a "Connection" header value containing format specifiers.

 

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

 

The vulnerabilities have been confirmed in version 0.8.6d. Other versions may also be affected.

 

Solution:

Fixed in the SVN repository.

_________________________________

några andra aktuella

- phpAutoVideo Two File Inclusion Vulnerabilities

- WinAce UUE File Decompression Buffer Overflow

- Zoom Player Error Message Buffer Overflow Vulnerability

[brainslicer]

VLC Media Player SDP Processing Buffer Overflow Vulnerability

Secunia Advisory: SA28383 Release Date: 2008-01-10

Critical:

Highly critical Impact: DoS

System access

Where: From remote

Solution Status: Unpatched

Software:VLC media player 0.x

 

 

This advisory is currently marked as unpatched!

- Companies can be alerted when a patch is released!

 

 

Description:

Luigi Auriemma has reported a vulnerability in VLC Media Player, which can potentially be exploited by malicious people to compromise a user's system.

 

The vulnerability is caused due to a boundary error in within modules/access/rtsp/real_sdpplin.c when processing SDP data (Session Description Protocol) for RTSP sessions. This can be exploited to cause a heap-based buffer overflow e.g. when a user is enticed to connect to a malicious server.

 

Successful exploitation may allow execution of arbitrary code.

 

The vulnerability is reported in version 0.8.6d. Other versions may also be affected.

 

Solution:

Do not connect to untrusted streaming servers.