VLC Media Player < 2.0.5 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 6658

Synopsis

The remote host contains an application that is affected by multiple vulnerabilities

Description

The remote host is running VLC 2.x prior to 2.0.5 and is affected by multiple vulnerabilities :

- An error exists in the file 'modules/codec/subsdec.c' ('libsubsdec_plugin.dll') that does not properly validate input and can allow a buffer overflow. Opening a specially crafted file can result in the execution of arbitrary code. Note that the subtitles feature must be enabled for successful exploitation.
- An error exists related to the 'freetype' renderer that does not properly validate input and can allow a buffer overflow. Opening a specially crafted file can result in the execution of arbitrary code.
- Unspecified errors exist related to 'libaiff_plugin.dll' and to the 'SWF' demuxer that have unspecified impact.

Solution

Upgrade to VLC Media Player version 2.0.5 or later.

See Also

http://www.videolan.org/vlc/releases/2.0.5.html

http://www.videolan.org/security/sa1301.html

http://www.nessus.org/u?4cd2e15e

http://www.securitytracker.com/id?1027929

Plugin Details

Severity: High

ID: 6658

File Name: 6658.prm

Family: Web Clients

Published: 2013/01/07

Modified: 2016/12/06

Dependencies: 9797

Nessus ID: 63381

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:videolan:vlc_media_player

Patch Publication Date: 2012/12/15

Vulnerability Publication Date: 2012/12/07

Reference Information

CVE: CVE-2013-1868

BID: 57079