Adsons

    ArchLinux: 201712-4: vlc: arbitrary code execution

    Date07 Dec 2017
    CategoryArchLinux
    243
    Posted ByLinuxSecurity Advisories
    The package vlc before version 2.2.7-1 is vulnerable to arbitrary code execution.
    Arch Linux Security Advisory ASA-201712-4
    =========================================
    
    Severity: Critical
    Date    : 2017-12-07
    CVE-ID  : CVE-2017-10699 CVE-2017-9300
    Package : vlc
    Type    : arbitrary code execution
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-533
    
    Summary
    =======
    
    The package vlc before version 2.2.7-1 is vulnerable to arbitrary code
    execution.
    
    Resolution
    ==========
    
    Upgrade to 2.2.7-1.
    
    # pacman -Syu "vlc>=2.2.7-1"
    
    The problems have been fixed upstream in version 2.2.7.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2017-10699 (arbitrary code execution)
    
    It was discovered that avcodec 2.2.x, as used in VideoLAN VLC media
    player before 2.2.7, allows out-of-bounds heap memory write due to
    calling memcpy() with a wrong size, leading to a denial of service
    (application crash) or possibly code execution.
    
    - CVE-2017-9300 (arbitrary code execution)
    
    It was discovered that plugins\codec\libflac_plugin.so in VideoLAN VLC
    media player before 2.2.7 allows remote attackers to cause a heap
    corruption and application crash leading to denial of service or
    possibly execution of arbitrary code via a crafted FLAC file.
    
    Impact
    ======
    
    A remote attacker is able to execute arbitrary code on the host by
    providing a maliciously-crafted media file to VLC.
    
    References
    ==========
    
    https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=6cc73bcad19da2cd2e95671173f2e0d203a57e9b
    https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=a38a85db58c569cc592d9380cc07096757ef3d49
    https://trac.videolan.org/vlc/ticket/18467
    https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3
    https://security.archlinux.org/CVE-2017-10699
    https://security.archlinux.org/CVE-2017-9300
    

    Comments powered by CComment

    Sidebar Ad

    LinuxSecurity Poll

    Does your company/organization utilize open-source software?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    5
    radio
    bottom200