lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAN1eSks8184e7qieU4ab340SOyxa3F02S5Symo5f-w7xWWht5A@mail.gmail.com> Date: Mon, 29 Mar 2021 18:35:44 +0800 From: houjingyi <houjingyi647@...il.com> To: fulldisclosure@...lists.org Subject: [FD] PotPlayer denial of service vulnerability PotPlayer is a multimedia software player developed for the Microsoft Windows operating system by South Korean Internet company Kakao (formerly Daum Communications). It competes with other popular Windows media players such as VLC media player, GOM Player, KMPlayer, SMPlayer and Media Player Classic. PotPlayer's reception has been positive with reviewers complimenting its wide range of settings and customizations, as well as its lightweight nature and its support for a large variety of media formats. I found a denial of service vulnerability in PotPlayer by accident. vulnerable version : 210127 fixed version : 210318 I just dragged https://bugzilla.libav.org/show_bug.cgi?id=929 into PotPlayer and it crashed. A dmp file can be found at directory like : C:\Users\xxxxxx\AppData\Roaming\Daum\PotPlayer\Log I think this is maybe PotPlayer is not using the latest version of libav and I contacted Korea Internet & Security Agency. vendor response: " Hello, This is Kakao Security Team. Thank you for providing the Korea Internet & Security Agency with information on the security vulnerability of the potplayer service. Results of internal Review We have determined that an error occurs when running MP4 files that do not fit the format. However, - the potplayer service does not use the libav library - and the user's own potplayer program is terminated * so it is not judged to be a security vulnerability. * Currently, a revised version has been distributed. Thank you for reporting the security vulnerability. Please contact me if you have any questions. Kakao Security Team. " I do not know why they think this is not a security vulnerability, maybe it can just cause crash and cannot be exploited? I did not investigate further, but I can confirm this get fixed in the latest version. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists