VLC says ‘non-exploitable’ flaws in VLC 2.1.5 have been fixed
Users of the popular open source media player VLC could be susceptible to two memory corruption flaws affecting some versions of the software running on Windows XP.
Turkish researcher Veysel Hatas discovered the vulnerabilities in VLC 2.1.5 in November and reported them to the VLC project’s developers VideoLAN on 26 December before publishing the findings on the 9 January after they weren’t fixed.
Hatas said the severity of both flaws was “high” and were posted on Full Disclosure last week.
“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file,” said Hatas of the first vulnerability. “This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.”
“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file,” Hatas described the second bug. “This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.”
VideoLAN told TechWeekEurope that the bugs described are NOT VLC vulnerabilities and have already been fixed upstream and that most Linux distributions have already fixed them. It added that VLC 2.2.0-rc2 already fixes the issue for Windows and OSX and claimed the issue was not exploitable.
“The reporter was notified, and did not care,” said the organisation.
Are you a security pro? Try our quiz!