• VideoLAN Project
• VLC media player
• Software Projects
• Doc/Support
• Wiki
• Forum
• Developers

• developers
• VLC
• VLS
• x264
• libdca
• libdvdcss
• libbluray
• libdvbpsi
• libdvbcsa
• Translations
• trac

• Documentation
• Wiki
• Support

• VideoLAN
• VLC media player
• Documentation
• Support

• Home
• News
• Organisation
• Team
• Contribute
• Partners
• Events
• Goodies

• overview
• vlc
• x264
• dvblast
• multicat
• vlma

• Download
• Features
• Screenshots
• Streaming
• Skins

• Overview
• Download
• Documentation
• Screenshots

• Overview
• FAQ
• Mailing lists

Security Advisory 0702

Summary           : Format string injection in Vorbis, Theora, SAP
                    and CDDA plugins
Date              : 12 June 2007
Affected versions : VLC media player 0.8.6b and earlier
ID                : VideoLAN-SA-0702
CVE reference     : CVE-2007-3316

Details

VLC media player Ogg/Vorbis, Ogg/Theora, CDDA (CD Digital Audio) and SAP (Service Announce Protocol) plugins are prone to a C-style format string vulnerability when trying to parse a media data stream.

Valid but carefully crafted .ogg (Vorbis) or .ogm (Theora) files, CDDB entries or SAP/SDP messages can trigger the bug. We therefore consider this bug to have a high severity.

Impact

If successful, a malicious third party could use this vulnerability to execute arbitrary code within the context of VLC media player (i.e. acquire local user privileges on the vulnerable system), or crash the player instance.

Threat mitigation

Exploitation of this bug requires getting VLC to read a crafted Ogg file, an Audio CD with a crafted CDDB entry. If SAP service discovery is enabled, the bug can be exploited by sending a crafted multicast packets on the network.

Workarounds

If support for Audio CDs and ogg files are not used, one can remove the affected plugins manually from the VLC plugin "access" directory. Relevant filenames are as follow:

Microsoft Windows

codec/libvorbis_plugin.dll, codec/libtheora_plugin.dll and access/libcdda_plugin.dll

Apple MacOS X

codec/libvorbis_plugin.dylib, codec/libtheora_plugin.dylib and access/libcdda_plugin.dylib

Other (Linux, BSD...)

codec/libvorbis_plugin.so, codec/libtheora_plugin.so and access/libcdda_plugin.so (typically found in /usr/lib or /usr/local/lib).

Otherwise, files coming from untrusted source should not be opened, and CDDB must be disabled.

The SAP service discovery plugin must not enabled (it is disabled by default).

Solution

VLC media player 0.8.6c addresses this issue and introduces further usability fixes.

Pre-compiled packages for Mac OS X and MS Windows should be shortly available at the usual download locations.

Linux and BSD users should get relevant software upgrades from their respective distribution/OS vendor.

Credits

This bug responsibly reported by David Thiel from iSEC Partners Inc, originally for the Ogg/Vorbis plugin, and was found to affect other plugins after further internal analysis.

References

iSEC Partners Inc.

http://www.isecpartners.com/

The VideoLAN project

http://www.videolan.org/

History

22 June 2007

Added CVE candidate ID reference

17 June 2007

VLC 0.8.6c bugfix release

Binaries for Windows and Mac OS X

07 June 2007

Source code fixes for VLC 0.8.6b and development tree

06 June 2007

Bug reported by David Thiel

Rémi Denis-Courmont,
on behalf of the VideoLAN project