Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

VLC 0.8.6b format string vulnerability & integer overflow

from [David Thiel] Network Security [Permanent Link]
Subject: VLC 0.8.6b format string vulnerability & integer overflow
Date: Thu, 21 Jun 2007 11:28:11 -0700 
iSEC Partners Security Advisory - 2007-001-vlc
http://www.isecpartners.com
----------------------------------------------

VLC 0.8.6b format string vulnerability & integer overflow

Vendor: VideoLan
Vendor URL: http://www.videolan.org
Systems Affected: Confirmed on Windows XP, FreeBSD 6.2, MacOS X 10.4
Severity: High (memory access violations, potential code execution)
Author: David Thiel <david [at] isecpartners.com>

Vendor notified: 2007-06-05
Public release: 2007-06-21
Advisory URL: http://www.isecpartners.com/advisories/2007-001-vlc.txt
Vendor Advisory: http://www.videolan.org/sa0702.html

Summary:
--------

VLC is vulnerable to a format string attack in the parsing of Vorbis
comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP
service discovery messages. Additionally, there are two errors in the
handling of wav files, one a denial of service due to an uninitialized
variable, and one integer overflow in sampling frequency calculations.

Details:
--------

The input_vaControl function in input.c calls vasprintf() with an
externally-supplied format string, as specified in the value of a Vorbis
comment. This can lead to arbitrary code execution.

An excessively large sample rate causes an integer overflow, resulting
in a SEGV in __status_Update in stats.c.

An uninitialized i_nb_resamplers in input.c can cause a crash during 
audio stream processing.

Fix Information:
----------------

These issues are fixed version 0.8.6c. Workarounds for previous versions
are documented in the vendor advisory.

About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.

115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • VLC 0.8.6b format string vulnerability & integer overflow, David Thiel <=
Previous by Date:  Re: New post Topic Hijacking XSS All vBulletin v 3.x.x (2), scott-REMOVE-
Next by Date:  Re: New Include Redirect Bug XSS All vBulletin v 3.x.x, kaneda
Previous by Thread:  [ MDKSA-2007:131 ] - Updated Thunderbird packages fix multiple vulnerabilities, security
Next by Thread:  [ MDKSA-2007:132 ] - Updated madwifi-source, wpa_supplicant packages fix vulnerabilities, security
Indexes:  [Date] [Thread] [Top] [All Lists]