Security Advisory 1001
Summary : Clam AntiVirus input validation error
Date : February 2010
Affected versions : VLC media player 1.0.5 for Windows
Clam AntiVirus all versions
ID : VideoLAN-SA-1001
CVE reference : N/A
Details
Clam AntiVirus incorrectly claims that the x86 SSE2-accelerated I:4:2:2 chroma conversion plugin as being a computer trojan. This affects builds of VLC media player with recent versions of the MingW compilation toolchain.
Impact
Copy, installation and/or use of VLC media player or applications based on LibVLC may be impossible.
Threat mitigation
This issue only affects users of Clam AntiVirus or anti-virus software using the same virus database.
Solution
Remove Clam AntiVirus before downloading VLC media player.
An anti-virus database has to be up-to-date to be of much use. Around 20% of tested antivirus incorrectly detected as VLC 1.0.5 as a trojan at the time of release. Kaspersky Anti-Virus was updated within one business day. The VideoLAN project advises against the use of Clam AntiVirus. Users should not rely on a security software which fails to be updated within a full month period (to date).
Credits
This vulnerability was reported by many different people individiually.
References
- The VideoLAN project
- http://www.videolan.org/
History
- 28 January 2010
- VLC media player 1.0.5 released.
- 15 February 2010 (probably earlier)
- Vendor notification.
- 28 February 2010
- Initial security advisory.
Rémi Denis-Courmont,
on behalf of the VideoLAN project