VLC Vulnerability – Read buffer overflow & double free

 In Security Alerts

Systems Affected

  • VLC media player 3.0.6 and earlier
Summary           : Read buffer overflow & double free
Date              : June 2019
Affected versions : VLC media player 3.0.6 and earlier
ID                : VideoLAN-SA-1901
CVE reference     : CVE-2019-5439, CVE-2019-12874

Threat Level

High

Overview

A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively.[1]

Description

If you use VLC media player on your computer and haven’t updated it recently, don’t you even dare to play any untrusted, randomly downloaded video file on it.
Doing so could allow hackers to remotely take full control over your computer system.
That’s because VLC media player software versions prior to 3.0.7 contain two high-risk security vulnerabilities, besides many other medium- and low-severity security flaws, that could potentially lead to arbitrary code execution attacks. [2]

Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

Solution

VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file.

Apply the necessary updates. Ensure you are running the latest version of VLC.

 

 

Reference

[1] https://www.videolan.org/security/sa1901.html

[2] https://thehackernews.com/2019/06/vlc-media-player-hacking.html

Credits

The MKV double free vulnerability was reported by Symeon Paraschoudis from Pen Test Partners

Disclaimer

The information provided herein is on “as is” basis, without warranty of any kind.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt