lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 21 Jun 2007 11:28:11 -0700
From: David Thiel <david@...cpartners.com>
To: bugtraq@...urityfocus.com
Cc: vulnwatch@...nwatch.org
Subject: VLC 0.8.6b format string vulnerability & integer overflow

iSEC Partners Security Advisory - 2007-001-vlc
http://www.isecpartners.com
----------------------------------------------

VLC 0.8.6b format string vulnerability & integer overflow

Vendor: VideoLan
Vendor URL: http://www.videolan.org
Systems Affected: Confirmed on Windows XP, FreeBSD 6.2, MacOS X 10.4
Severity: High (memory access violations, potential code execution)
Author: David Thiel <david [at] isecpartners.com>

Vendor notified: 2007-06-05
Public release: 2007-06-21
Advisory URL: http://www.isecpartners.com/advisories/2007-001-vlc.txt
Vendor Advisory: http://www.videolan.org/sa0702.html

Summary:
--------

VLC is vulnerable to a format string attack in the parsing of Vorbis
comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP
service discovery messages. Additionally, there are two errors in the
handling of wav files, one a denial of service due to an uninitialized
variable, and one integer overflow in sampling frequency calculations.

Details:
--------

The input_vaControl function in input.c calls vasprintf() with an
externally-supplied format string, as specified in the value of a Vorbis
comment. This can lead to arbitrary code execution.

An excessively large sample rate causes an integer overflow, resulting
in a SEGV in __status_Update in stats.c.

An uninitialized i_nb_resamplers in input.c can cause a crash during 
audio stream processing.

Fix Information:
----------------

These issues are fixed version 0.8.6c. Workarounds for previous versions
are documented in the vendor advisory.

About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.

115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ