GLSA-200803-13

Executive Summary

Summary
Title	VLC: Multiple vulnerabilities

Informations
Name	GLSA-200803-13	First vendor Publication	2008-03-07
Vendor	Gentoo	Last vendor Modification	2008-03-07
Severity (Vendor)	High	Revision	N/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities were found in VLC, allowing for the execution of arbitrary code and Denial of Service.

Background

VLC is a cross-platform media player and streaming server.

Description

Multiple vulnerabilities were found in VLC:

* Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(),
ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681).

* The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682).

* The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683).

* The RSTP module triggers a NULL pointer dereference when processing a request without a "Transport" parameter (CVE-2007-6684).

* Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow.

* Felipe Manzano and Anibal Sacco (Core Security Technologies)
discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984).

Impact

A remote attacker could send a long subtitle in a file that a user is enticed to open, a specially crafted MP4 input file, long SDP data, or a specially crafted HTTP request with a "Connection" header value containing format specifiers, possibly resulting in the remote execution of arbitrary code. Also, a Denial of Service could be caused and arbitrary files could be overwritten via the "demuxdump-file"
option in a filename in a playlist or via an EXTVLCOPT statement in an MP3 file.

Workaround

There is no known workaround at this time.

Resolution

All VLC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6e"

References

[ 1 ] CVE-2007-6681 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6681
[ 2 ] CVE-2007-6682 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6682
[ 3 ] CVE-2007-6683 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6683
[ 4 ] CVE-2007-6684 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6684
[ 5 ] CVE-2008-0295 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0295
[ 6 ] CVE-2008-0296 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296
[ 7 ] CVE-2008-0984 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0984

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200803-13.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200803-13.xml

CWE : Common Weakness Enumeration

id	Name
CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-399	Resource Management Errors
CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14334

Oval ID:	oval:org.mitre.oval:def:14334
Title:	Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d
Description:	Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via a long subtitle in a (1) MicroDvd, (2) SSA, and (3) Vplayer file.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2007-6681	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	VLC Media Player
Definition Synopsis:
VLC media player is installed AND Version of VLC Media Player equal to 0.8.6d

Definition Id: oval:org.mitre.oval:def:14790

Oval ID:	oval:org.mitre.oval:def:14790
Title:	Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d
Description:	Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via format string specifiers in the Connection parameter.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2007-6682	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	VLC Media Player
Definition Synopsis:
VLC media player is installed AND Version of VLC Media Player equal to 0.8.6d

Definition Id: oval:org.mitre.oval:def:14619

Oval ID:	oval:org.mitre.oval:def:14619
Title:	The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to overwrite arbitrary files
Description:	The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to overwrite arbitrary files via (1) the :demuxdump-file option in a filename in a playlist, or (2) a EXTVLCOPT statement in an MP3 file, possibly an argument injection vulnerability.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2007-6683	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	VLC Media Player
Definition Synopsis:
VLC media player is installed AND Version of VLC Media Player equal to 0.8.6d

Definition Id: oval:org.mitre.oval:def:14876

Oval ID:	oval:org.mitre.oval:def:14876
Title:	The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to cause a denial of service
Description:	The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to cause a denial of service (crash) via a request without a Transport parameter, which triggers a NULL pointer dereference.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2007-6684	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	VLC Media Player
Definition Synopsis:
VLC media player is installed AND Version of VLC Media Player equal to 0.8.6d

Definition Id: oval:org.mitre.oval:def:14776

Oval ID:	oval:org.mitre.oval:def:14776
Title:	Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier
Description:	Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows user-assisted remote attackers to cause a denial of service (crash) or execute arbitrary code via long Session Description Protocol (SDP) data.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2008-0295	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	VLC Media Player
Definition Synopsis:
VLC media player is installed AND Version of VLC Media Player less than or equal to 0.8.6d

Definition Id: oval:org.mitre.oval:def:14597

Oval ID:	oval:org.mitre.oval:def:14597
Title:	Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows
Description:	Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to cause a denial of service (application crash) or execute arbitrary code via a long string.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2008-0296	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP	Product(s):	VLC Media Player
Definition Synopsis:
VLC media player is installed AND Version of VLC Media Player less than or equal to 0.8.6d

CPE : Common Platform Enumeration

Type	Description	Count
Application	Miro Miro Player cpe:/a:miro:miro_player:1.1	1
Application	Videolan Vlc cpe:/a:videolan:vlc:0.8.6d	1
Application	Videolan Vlc Media Player cpe:/a:videolan:vlc_media_player:0.8.6d	1

ExploitDB Exploits

id	Description
2008-05-23	VLC 0.8.6d SSA Parsing Double Sh311 Universal Exploit
2008-04-28	VLC 0.8.6d httpd_FileCallBack Remote Format String Exploit

Open Source Vulnerability Database (OSVDB)

id	Description
43002	VLC Media Player MP4 Demuxer (mp4.c) Arbitrary Memory Overwrite
42208	VLC Media Player network/httpd.c httpd_FileCallBack Function Connection Param...
42207	VLC Media Player modules/demux/subtitle.c Multiple File Format subtitle Handl...
42206	VLC Media Player Browser Plug-in MP3 File EXTVLCOPT Statement Arbitrary File ...
42205	VLC Media Player Browser Plug-in Playlist Filename :demuxdump-file Option Arb...
42204	VLC Media Player RTSP Module Malformed Request Remote DoS
42194	Xine Library modules/access/rtsp/real_sdpplin.c SDP Data Handling Overflow
42193	VLC Media Player on Windows RTSP Data Handling Unspecified Remote Overflow

Type	Count
Oval ID(s)	6
CPE ID(s)	3
osvdb(s)	8
Milw0rm Exploit(s)	2
ExploitDB Exploit(s)	2

Related	Severity
CVE-2008-0296	(Critical)
CVE-2008-0984	(Critical)
CVE-2008-0295	(High)
GLSA-200804-25	(High)
CVE-2007-6682	(High)
CVE-2007-6681	(High)
CVE-2007-6684	(Medium)
CVE-2007-6683	(Medium)