Executive Summary
Summary | |
---|---|
Title | liblivemedia security update |
Informations | |||
---|---|---|---|
Name | DSA-3156 | First vendor Publication | 2015-02-07 |
Vendor | Debian | Last vendor Modification | 2015-02-07 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability was found in liveMedia, a set of C++ libraries for multimedia streaming. RTSP messages starting with whitespace were assumed to have a zero length, triggering an integer underflow, infinite loop, and then a buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted RTSP messages. The packages vlc and mplayer have also been updated to reflect this improvement. For the stable distribution (wheezy), this problem has been fixed in liblivemedia version 2012.05.17-1+wheezy1, vlc version 2.0.3-5+deb7u2+b1, and mplayer version 2:1.0~rc4.dfsg1+svn34540-1+deb7u1. For the upcoming stable distribution (jessie), this problem has been fixed in liblivemedia version 2014.01.13-1. For the unstable distribution (sid), this problem has been fixed in liblivemedia version 2014.01.13-1. We recommend that you upgrade your liblivemedia, vlc, and mplayer packages. |
Original Source
Url : http://www.debian.org/security/2015/dsa-3156 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:26500 | |||
Oval ID: | oval:org.mitre.oval:def:26500 | ||
Title: | Denial of service and possibly execute arbitrary code via a space or tab character at the beginning of an RTSP message | ||
Description: | The parseRTSPRequestString function in Live Networks Live555 Streaming Media 2011.08.13 through 2013.11.25, as used in VideoLAN VLC Media Player, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a (1) space or (2) tab character at the beginning of an RTSP message, which triggers an integer underflow, infinite loop, and buffer overflow. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-6933 | Version: | 3 |
Platform(s): | Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows Server 2012 Microsoft Windows 8.1 Microsoft Windows Server 2012 R2 | Product(s): | VLC Media Player |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2019-09-17 | VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow att... RuleID : 51040 - Revision : 1 - Type : FILE-MULTIMEDIA |
2014-04-17 | VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow att... RuleID : 30215 - Revision : 5 - Type : FILE-MULTIMEDIA |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-02-04 | Name : The remote Windows host contains a media player that is affected by a buffer ... File : vlc_2_1_2.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-02-07 17:22:28 |
|