VLC Format String Vulnerability And Integer Overflow
25 Jun. 2007
Summary
VLC is vulnerable to a format string attack in the parsing of Vorbis comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP service discovery messages. Additionally, there are two errors in the handling of wav files, one a denial of service due to an uninitialized variable, and one integer overflow in sampling frequency calculations.
The input_vaControl function in input.c calls vasprintf() with an externally-supplied format string, as specified in the value of a Vorbis comment. This can lead to arbitrary code execution.
An excessively large sample rate causes an integer overflow, resulting in a SEGV in __status_Update in stats.c.
An uninitialized i_nb_resamplers in input.c can cause a crash during audio stream processing.
Impact:
If successful, a malicious third party could use this vulnerability to execute arbitrary code within the context of VLC media player (i.e. acquire local user privileges on the vulnerable system), or crash the player instance.
Fix Information:
These issues are fixed version 0.8.6c.
Workarounds:
If support for Audio CDs and ogg files are not used, one can remove the affected plugins manually from the VLC plugin "access" directory. Relevant filenames are as follow:
Microsoft Windows
codec/libvorbis_plugin.dll, codec/libtheora_plugin.dll and access/libcdda_plugin.dll
Apple MacOS X
codec/libvorbis_plugin.dylib, codec/libtheora_plugin.dylib and access/libcdda_plugin.dylib
Other (Linux, BSD...)
codec/libvorbis_plugin.so, codec/libtheora_plugin.so and access/libcdda_plugin.so (typically found in /usr/lib or /usr/local/lib).
Otherwise, files coming from untrusted source should not be opened, and CDDB must be disabled.
The SAP service discovery plugin must not enabled (it is disabled by default).
