June 14, 2021

VideoLan Project Releases VLC Security Fix Release

(LiveHacking.Com) – VideoLAN and the VLC development team have released VLC 1.1.12 to fix bugs and a security issue while adding improvements to the audio output on Mac OS X and with PulseAudio.

The security issue fixed in this release is a NULL dereference vulnerability that causes a crash that occurrs when an invalid URL was processed by the HTTP and RTSP server components. If successful, a malicious third party could crash the server process, however arbitrary code execution is not believed possible.

For the vulnerability to be exploited the user has to explicitly start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions.

Other changes between 1.1.11 and 1.1.12:

  • Mac OS X / auhal: multiple fixes for the Digital Audio output (S/PDIF) including support for OS X Lion
  • Multiple fixes and improved synchronization for PulseAudio support
  • Support for AC-3 and DTS passthrough with PulseAudio 1.0
  • Fix crashes with Japanese locale on OS X
  • Minor fixes for Webplugin under Win32, AVI demuxer, smem and AudioScrobbler

VLC 1.1.12 is available for download from the project’s web site

VLC 1.1.9 Fixes MP4 Demultiplexer Vulnerability

The VideoLAN project team have released VLC 1.1.9, just two weeks after the release of V1.1.8, to fix two important security flaws. As we reported here and here, two vulnerabilities have been found in VLC recently, one in the libmodplug plugin and the other in the MP4 demultiplexer. In both cases an attacker would have needed to convince a user to open a specially craft file to exploit the weaknesses.

According to the CHANGELOG V1.1.9 is a minor release, focused on security issues and bugfixes:

  • Fix a heap corruption in MP4 demultiplexer
  • Update of libmodplug in binaries to fix a security issue
  • Many OS X layout and look fixes
  • Update of translations and scripts

VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols. V1.1.9 can be downloaded here.

VLC Media Player MP4 Heap Corruption Vulnerability

Yesterday we reported on a vulnerability in libmodplug which is used by media players like VLC and Gstreamer, today it has been revealed that there is another vulnerability in VLC, this time a heap corruption in the MP4 demultiplexer. All versions of the VLC media player from V1.0.0 to the current V1.1.8 are affected.

According to the advisory, when VLC parses some MP4 (MPEG-4 Part 14) files, an insufficient buffer size might lead to corruption of the heap. If successful, it is not yet known if a malicious third party might be able to trigger execution of arbitrary code. However successful exploitation of this bug can crash the media player.

As with the libmodplug issue reported yesterday, exploitation of this issue requires the user to explicitly open an MP4 file with specially crafted content. The workaround, until VLC media player 1.1.9 is released is to not open MP4 files from untrusted third parties or accessing untrusted remote sites. Alternatively, the MP4 decoder plugin (libmp4_plugin.*) can be removed manually from the VLC plugin installation directory.

Libmodplug Exposes VLC Media Player to Code Execution Vulnerability

SEC Consult has discovered a vulnerability in the libmodplug library which is used by media players such as VLC and Gstreamer. As a result the current binary versions of the VLC Media Player are susceptible on Windows and OS X.

As a result of the problem in libmodplug (v0.8.8.1 of libmodplug, which was the most recent version at the time of the discovery), Secunia has issued an advisory for VLC Media Player users. Due to a bug, the libmodplug library is prone to stack based buffer overflow attacks because of insufficient validation of user supplied data. An attacker is able to execute arbitrary code, with the user’s privileges, when opening malicious S3M media files.

The only way a hacker can launch this attack is by tricking a user into opening a specially crafted S3M file. Therefore, as a temporary workaround until an official fix of VLC is released, do not open untrusted *.S3M files.

For those who want to re-build VLC from source, an updated version of libmodplug is available here.