Executive Summary
Summary | |
---|---|
Title | vlc security update |
Informations | |||
---|---|---|---|
Name | DSA-2218 | First vendor Publication | 2011-04-12 |
Vendor | Debian | Last vendor Modification | 2011-04-12 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Aliz Hammond discovered that the MP4 decoder plugin of vlc, a multimedia player and streamer, is vulnerable to a heap-based buffer overflow. This has been introduced by a wrong data type being used for a size calculation. An attacker could use this flaw to trick a victim into opening a specially crafted MP4 file and possibly execute arbitrary code or crash the media player. The oldstable distribution (lenny) is not affected by this problem. For the stable distribution (squeeze), this problem has been fixed in version 1.1.3-1squeeze5. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 1.1.8-3. We recommend that you upgrade your vlc packages. |
Original Source
Url : http://www.debian.org/security/2011/dsa-2218 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:14741 | |||
Oval ID: | oval:org.mitre.oval:def:14741 | ||
Title: | Heap-based buffer overflow in the MP4_ReadBox_skcr function in libmp4.c in the MP4 demultiplexer in VideoLAN VLC media player | ||
Description: | Heap-based buffer overflow in the MP4_ReadBox_skcr function in libmp4.c in the MP4 demultiplexer in VideoLAN VLC media player 1.x before 1.1.9 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted MP4 file. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-1684 | Version: | 7 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP | Product(s): | VLC Media Player |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-05-16 | Name : VLC Media Player 'MP4_ReadBox_skcr()' Buffer Overflow Vulnerability (Linux) File : nvt/gb_vlc_media_player_mp4_bof_vuln_lin.nasl |
2011-05-16 | Name : VLC Media Player 'MP4_ReadBox_skcr()' Buffer Overflow Vulnerability (Windows) File : nvt/gb_vlc_media_player_mp4_bof_vuln_win.nasl |
2011-05-12 | Name : Debian Security Advisory DSA 2218-1 (vlc) File : nvt/deb_2218_1.nasl |
2011-05-12 | Name : FreeBSD Ports: vlc File : nvt/freebsd_vlc5.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
71705 | VLC Media Player modules/demux/mp4/libmp4.c MP4_ReadBox_skcr() Function Overflow |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-11-06 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201411-01.nasl - Type : ACT_GATHER_INFO |
2011-04-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2218.nasl - Type : ACT_GATHER_INFO |
2011-04-13 | Name : The remote Windows host contains a media player that is affected by multiple ... File : vlc_1_1_9.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:30:05 |
|