Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2019-2023 Canonical, Inc. / NASL script (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-4074-1.NASL
HistoryJul 26, 2019 - 12:00 a.m.

Ubuntu 18.04 LTS : VLC vulnerabilities (USN-4074-1)

2019-07-2600:00:00
Ubuntu Security Notice (C) 2019-2023 Canonical, Inc. / NASL script (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9
JSON

It was discovered that the VLC CAF demuxer incorrectly handled certain files. If a user were tricked into opening a specially crafted CAF file, a remote attacker could use this issue to cause VLC to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19857)

It was discovered that the VLC Matroska demuxer incorrectly handled certain files. If a user were tricked into opening a specially crafted MKV file, a remote attacker could use this issue to cause VLC to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-12874)

It was discovered that the VLC MP4 demuxer incorrectly handled certain files. If a user were tricked into opening a specially crafted MP4 file, a remote attacker could use this issue to cause VLC to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2019-13602)

It was discovered that the VLC AVI demuxer incorrectly handled certain files. If a user were tricked into opening a specially crafted AVI file, a remote attacker could use this issue to cause VLC to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2019-5439).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4074-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(127095);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/20");

  script_cve_id(
    "CVE-2018-19857",
    "CVE-2019-12874",
    "CVE-2019-13602",
    "CVE-2019-5439"
  );
  script_xref(name:"USN", value:"4074-1");
  script_xref(name:"IAVB", value:"2019-B-0074-S");
  script_xref(name:"CEA-ID", value:"CEA-2019-0487");

  script_name(english:"Ubuntu 18.04 LTS : VLC vulnerabilities (USN-4074-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"It was discovered that the VLC CAF demuxer incorrectly handled certain
files. If a user were tricked into opening a specially crafted CAF
file, a remote attacker could use this issue to cause VLC to crash,
resulting in a denial of service. This issue only affected Ubuntu
18.04 LTS. (CVE-2018-19857)

It was discovered that the VLC Matroska demuxer incorrectly handled
certain files. If a user were tricked into opening a specially crafted
MKV file, a remote attacker could use this issue to cause VLC to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2019-12874)

It was discovered that the VLC MP4 demuxer incorrectly handled certain
files. If a user were tricked into opening a specially crafted MP4
file, a remote attacker could use this issue to cause VLC to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2019-13602)

It was discovered that the VLC AVI demuxer incorrectly handled certain
files. If a user were tricked into opening a specially crafted AVI
file, a remote attacker could use this issue to cause VLC to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2019-5439).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4074-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12874");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-bin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-data");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-l10n");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-access-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-fluidsynth");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-jack");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-notify");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-qt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-skins2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-svg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-video-output");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-video-splitter");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-visualization");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:vlc-plugin-zvbi");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvlc-bin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvlc-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvlc5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvlccore-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvlccore9");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2019-2023 Canonical, Inc. / NASL script (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '18.04', 'pkgname': 'libvlc-bin', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'libvlc-dev', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'libvlc5', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'libvlccore-dev', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'libvlccore9', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-bin', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-data', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-l10n', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-access-extra', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-base', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-fluidsynth', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-jack', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-notify', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-qt', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-samba', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-skins2', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-svg', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-video-output', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-video-splitter', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-visualization', 'pkgver': '3.0.7.1-0ubuntu18.04.1'},
    {'osver': '18.04', 'pkgname': 'vlc-plugin-zvbi', 'pkgver': '3.0.7.1-0ubuntu18.04.1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libvlc-bin / libvlc-dev / libvlc5 / libvlccore-dev / libvlccore9 / etc');
}
VendorProductVersionCPE
canonicalubuntu_linuxvlcp-cpe:/a:canonical:ubuntu_linux:vlc
canonicalubuntu_linuxvlc-binp-cpe:/a:canonical:ubuntu_linux:vlc-bin
canonicalubuntu_linuxvlc-datap-cpe:/a:canonical:ubuntu_linux:vlc-data
canonicalubuntu_linuxvlc-l10np-cpe:/a:canonical:ubuntu_linux:vlc-l10n
canonicalubuntu_linuxvlc-plugin-access-extrap-cpe:/a:canonical:ubuntu_linux:vlc-plugin-access-extra
canonicalubuntu_linuxvlc-plugin-basep-cpe:/a:canonical:ubuntu_linux:vlc-plugin-base
canonicalubuntu_linuxvlc-plugin-fluidsynthp-cpe:/a:canonical:ubuntu_linux:vlc-plugin-fluidsynth
canonicalubuntu_linuxvlc-plugin-jackp-cpe:/a:canonical:ubuntu_linux:vlc-plugin-jack
canonicalubuntu_linuxvlc-plugin-notifyp-cpe:/a:canonical:ubuntu_linux:vlc-plugin-notify
canonicalubuntu_linuxvlc-plugin-qtp-cpe:/a:canonical:ubuntu_linux:vlc-plugin-qt
Rows per page:
1-10 of 231

Related

openvas 17
ubuntu 1
nessus 13
suse 6
kaspersky 2
gentoo 2
thn 1
archlinux 1
osv 7
cve 4
checkpoint_advisories 1
veracode 4
debian 2
ubuntucve 4
debiancve 4
cvelist 4
prion 4
alpinelinux 1
attackerkb 1
freebsd 3
pentestpartners 1
hackerone 1
threatpost 1
mageia 1
openvas
openvas
Ubuntu: Security Advisory (USN-4074-1)
2019-07-26 00:00:00
openSUSE: Security Advisory for vlc (openSUSE-SU-2019:1909-1)
2019-08-16 00:00:00
openSUSE: Security Advisory for vlc (openSUSE-SU-2019:1840-1)
2020-01-09 00:00:00
ubuntu
ubuntu
VLC vulnerabilities
2019-07-25 00:00:00
nessus
nessus
openSUSE Security Update : vlc (openSUSE-2019-1909)
2019-08-20 00:00:00
openSUSE Security Update : vlc (openSUSE-2019-1840)
2019-08-12 00:00:00
GLSA-201908-23 : VLC: Multiple vulnerabilities
2019-08-20 00:00:00
suse
suse
Security update for vlc (important)
2019-08-08 00:00:00
Security update for vlc (important)
2019-08-15 00:00:00
Security update for vlc (important)
2019-08-26 00:00:00
kaspersky
kaspersky
KLA11509 Multiple vulnerabilities in VLC media player
2019-06-13 00:00:00
KLA11761 Multiple vulnerabilities in VLC media player
2019-08-29 00:00:00
gentoo
gentoo
VLC: Multiple vulnerabilities
2019-08-18 00:00:00
VLC: Multiple vulnerabilities
2019-09-06 00:00:00
thn
thn
Beware! Playing Untrusted Videos On VLC Player Could Hack Your Computer
2019-06-21 19:23:00
archlinux
archlinux
[ASA-201906-22] vlc: arbitrary code execution
2019-06-25 00:00:00
osv
osv
CVE-2018-19857
2018-12-05 11:29:05
vlc - security update
2019-06-12 00:00:00
vlc - security update
2019-01-12 00:00:00
cve
cve
CVE-2018-19857
2018-12-05 11:29:00
CVE-2019-13602
2019-07-14 21:15:00
CVE-2019-12874
2019-06-18 18:15:00
checkpoint_advisories
checkpoint_advisories
VideoLAN VLC Media Player Denial of Service (CVE-2018-19857)
2020-08-05 00:00:00
veracode
veracode
Information Disclosure
2020-09-21 06:36:04
Arbitrary Code Execution
2020-09-21 06:21:23
Arbitrary Code Execution
2020-09-21 06:27:06
debian
debian
[SECURITY] [DSA 4366-1] vlc security update
2019-01-12 12:36:08
[SECURITY] [DSA 4504-1] vlc security update
2019-08-20 22:04:47
ubuntucve
ubuntucve
CVE-2019-13602
2019-07-14 00:00:00
CVE-2018-19857
2018-12-05 00:00:00
CVE-2019-12874
2019-06-18 00:00:00
debiancve
debiancve
CVE-2018-19857
2018-12-05 11:29:00
CVE-2019-13602
2019-07-14 21:15:00
CVE-2019-12874
2019-06-18 18:15:00
cvelist
cvelist
CVE-2018-19857
2018-12-05 11:00:00
CVE-2019-13602
2019-07-14 21:00:27
CVE-2019-12874
2019-06-18 17:53:09
prion
prion
Design/Logic Flaw
2018-12-05 11:29:00
Heap overflow
2019-07-14 21:15:00
Double free
2019-06-18 18:15:00
alpinelinux
alpinelinux
CVE-2019-13602
2019-07-14 21:15:00
attackerkb
attackerkb
VLC zlib_decompress_extra Double Free Vulnerability
2019-06-18 00:00:00
freebsd
freebsd
vlc -- Double free in Matroska demuxer
2019-05-20 00:00:00
vlc -- Buffer overflow vulnerability
2019-01-23 00:00:00
vlc -- multiple vulnerabilities
2019-07-14 00:00:00
pentestpartners
pentestpartners
Double-Free RCE in VLC. A honggfuzz how-to
2019-06-21 08:57:19
hackerone
hackerone
VLC (European Commission - DIGIT): Buffer overflow in libavi_plugin memmove() call
2019-01-23 03:31:55
threatpost
threatpost
VLC Media Player Allows Desktop Takeover Via Malicious Video Files
2019-08-19 20:59:13
mageia
mageia
Updated vlc packages fixes security vulnerabilities
2019-08-31 16:22:36
JSON
Related for UBUNTU_USN-4074-1.NASL
openvas17ubuntu1nessus13suse6kaspersky2gentoo2thn1archlinux1osv7cve4checkpoint_advisories1veracode4debian2ubuntucve4debiancve4cvelist4prion4alpinelinux1attackerkb1freebsd3pentestpartners1hackerone1threatpost1mageia1