VLC Media Player < 2.0.5 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 6658

Synopsis

The remote host contains an application that is affected by multiple vulnerabilities

Description

The remote host is running VLC 2.x prior to 2.0.5 and is affected by multiple vulnerabilities :

- An error exists in the file 'modules/codec/subsdec.c' ('libsubsdec_plugin.dll') that does not properly validate input and can allow a buffer overflow. Opening a specially crafted file can result in the execution of arbitrary code. Note that the subtitles feature must be enabled for successful exploitation.
- An error exists related to the 'freetype' renderer that does not properly validate input and can allow a buffer overflow. Opening a specially crafted file can result in the execution of arbitrary code.
- Unspecified errors exist related to 'libaiff_plugin.dll' and to the 'SWF' demuxer that have unspecified impact.

Solution

Upgrade to VLC Media Player version 2.0.5 or later.

See Also

http://www.videolan.org/vlc/releases/2.0.5.html

http://www.videolan.org/security/sa1301.html

http://www.nessus.org/u?4cd2e15e

http://www.securitytracker.com/id?1027929

Plugin Details

Severity: High

ID: 6658

Family: Web Clients

Published: 1/7/2013

Updated: 3/6/2019

Nessus ID: 63381

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:videolan:vlc_media_player

Patch Publication Date: 12/15/2012

Vulnerability Publication Date: 12/7/2012

Reference Information

CVE: CVE-2013-1868

BID: 57079