December 6, 2016

VLC 1.1.9 Fixes MP4 Demultiplexer Vulnerability

The VideoLAN project team have released VLC 1.1.9, just two weeks after the release of V1.1.8, to fix two important security flaws. As we reported here and here, two vulnerabilities have been found in VLC recently, one in the libmodplug plugin and the other in the MP4 demultiplexer. In both cases an attacker would have needed to convince a user to open a specially craft file to exploit the weaknesses.

According to the CHANGELOG V1.1.9 is a minor release, focused on security issues and bugfixes:

  • Fix a heap corruption in MP4 demultiplexer
  • Update of libmodplug in binaries to fix a security issue
  • Many OS X layout and look fixes
  • Update of translations and scripts

VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols. V1.1.9 can be downloaded here.

VLC Media Player MP4 Heap Corruption Vulnerability

Yesterday we reported on a vulnerability in libmodplug which is used by media players like VLC and Gstreamer, today it has been revealed that there is another vulnerability in VLC, this time a heap corruption in the MP4 demultiplexer. All versions of the VLC media player from V1.0.0 to the current V1.1.8 are affected.

According to the advisory, when VLC parses some MP4 (MPEG-4 Part 14) files, an insufficient buffer size might lead to corruption of the heap. If successful, it is not yet known if a malicious third party might be able to trigger execution of arbitrary code. However successful exploitation of this bug can crash the media player.

As with the libmodplug issue reported yesterday, exploitation of this issue requires the user to explicitly open an MP4 file with specially crafted content. The workaround, until VLC media player 1.1.9 is released is to not open MP4 files from untrusted third parties or accessing untrusted remote sites. Alternatively, the MP4 decoder plugin (libmp4_plugin.*) can be removed manually from the VLC plugin installation directory.