{"id": "OPENVAS:1361412562310703598", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 3598-1 (vlc - security update)", "description": "Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.", "published": "2016-06-07T00:00:00", "modified": "2019-03-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703598", "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2016/dsa-3598.html"], "cvelist": ["CVE-2016-5108"], "type": "openvas", "lastseen": "2019-05-29T18:35:24", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-5108"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.", "edition": 4, "enchantments": {"dependencies": {"modified": "2019-03-19T12:33:23", "references": [{"idList": ["OPENVAS:1361412562310808221", "OPENVAS:703598", "OPENVAS:1361412562310851353", "OPENVAS:1361412562310808222", "OPENVAS:1361412562310851351"], "type": "openvas"}, {"idList": ["CVE-2016-5108"], "type": "cve"}, {"idList": ["GLSA-201701-39"], "type": "gentoo"}, {"idList": ["KLA10824"], "type": "kaspersky"}, {"idList": ["EDB-ID:41025"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-26652"], "type": "zdt"}, {"idList": ["OPENSUSE-SU-2016:1652-1", "OPENSUSE-SU-2016:1651-1"], "type": "suse"}, {"idList": ["DEBIAN_DSA-3598.NASL", "OPENSUSE-2016-755.NASL", "OPENSUSE-2016-754.NASL", "FREEBSD_PKG_6D4028572FBA11E69F315404A68AD561.NASL", "GENTOO_GLSA-201701-39.NASL"], "type": "nessus"}, {"idList": ["DEBIAN:DSA-3598-1:A3ACA"], "type": "debian"}, {"idList": ["ASA-201606-21"], "type": "archlinux"}, {"idList": ["6D402857-2FBA-11E6-9F31-5404A68AD561"], "type": "freebsd"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "825f111cc633e64fd2eaaf89e04a94717e7e108d7ef2c9db049e92415863a5f0", "hashmap": [{"hash": "878dcf62fdd5e22b54965943536c1d1e", "key": "published"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "833a00f0d79f3406a00df67a5ed3a1fd", "key": "title"}, {"hash": "3c60581d1bb44b2e7d1055504b18600b", "key": "sourceData"}, {"hash": "4edec2df77e8784d0423759e73f0c8c5", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "ff1b2ce4fa539c93aaea30a825c0255c", "key": "modified"}, {"hash": "9e3c59f6893acff0d0687dfdb0c8f792", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "4ea1b941ed383f6d6934514a7f561e69", "key": "references"}, {"hash": "488b69cfef7e3104f96167b567f15759", "key": "cvelist"}, {"hash": "138cac4fe4c48f74d1e51f605aae78a2", "key": "href"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}, {"hash": "a9c8bcfe4633509f60a86b8a069fb324", "key": "pluginID"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703598", "id": "OPENVAS:1361412562310703598", "lastseen": "2019-03-19T12:33:23", "modified": "2019-03-18T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310703598", "published": "2016-06-07T00:00:00", "references": ["http://www.debian.org/security/2016/dsa-3598.html"], "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3598.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703598\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_name(\"Debian Security Advisory DSA 3598-1 (vlc - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-07 00:00:00 +0200 (Tue, 07 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3598.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"vlc on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthis problem has been fixed in version 2.2.4-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.4-1.\n\nWe recommend that you upgrade your vlc packages.\");\n script_tag(name:\"summary\", value:\"Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libvlc5\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libvlccore8\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-data\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-dbg\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-nox\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-pulse\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-sdl\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "title": "Debian Security Advisory DSA 3598-1 (vlc - security update)", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2019-03-19T12:33:23"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-5108"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "cfb121d841a90e67a4a69271628c5f72c23c1bdb5efe6b4e8537bcbf6c10a5fb", "hashmap": [{"hash": "c460b60d42a564be76a5648d412754f1", "key": "sourceData"}, {"hash": "878dcf62fdd5e22b54965943536c1d1e", "key": "published"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "833a00f0d79f3406a00df67a5ed3a1fd", "key": "title"}, {"hash": "4edec2df77e8784d0423759e73f0c8c5", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "9e3c59f6893acff0d0687dfdb0c8f792", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "4ea1b941ed383f6d6934514a7f561e69", "key": "references"}, {"hash": "488b69cfef7e3104f96167b567f15759", "key": "cvelist"}, {"hash": "138cac4fe4c48f74d1e51f605aae78a2", "key": "href"}, {"hash": "de0046b39c61ffa78c7b307709572183", "key": "modified"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}, {"hash": "a9c8bcfe4633509f60a86b8a069fb324", "key": "pluginID"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703598", "id": "OPENVAS:1361412562310703598", "lastseen": "2017-12-18T11:05:25", "modified": "2017-12-15T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310703598", "published": "2016-06-07T00:00:00", "references": ["http://www.debian.org/security/2016/dsa-3598.html"], "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3598.nasl 8131 2017-12-15 07:30:28Z teissa $\n# Auto-generated from advisory DSA 3598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703598\");\n script_version(\"$Revision: 8131 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_name(\"Debian Security Advisory DSA 3598-1 (vlc - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-15 08:30:28 +0100 (Fri, 15 Dec 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-06-07 00:00:00 +0200 (Tue, 07 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3598.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"vlc on Debian Linux\");\n script_tag(name: \"insight\", value: \"VLC is the VideoLAN project's media\nplayer. It plays MPEG, MPEG-2, MPEG-4, DivX, MOV, WMV, QuickTime, WebM, FLAC, MP3,\nOgg/Vorbis files, DVDs, VCDs, podcasts, and multimedia streams from various network\nsources.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 2.2.4-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.4-1.\n\nWe recommend that you upgrade your vlc packages.\");\n script_tag(name: \"summary\", value: \"Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlc5\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore8\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-data\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-dbg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-nox\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-pulse\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-sdl\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Debian Security Advisory DSA 3598-1 (vlc - security update)", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2017-12-18T11:05:25"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-5108"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.", "edition": 3, "enchantments": {"dependencies": {"modified": "2018-09-01T23:47:05", "references": [{"idList": ["OPENVAS:1361412562310808221", "OPENVAS:703598", "OPENVAS:1361412562310851353", "OPENVAS:1361412562310808222", "OPENVAS:1361412562310851351"], "type": "openvas"}, {"idList": ["CVE-2016-5108"], "type": "cve"}, {"idList": ["GLSA-201701-39"], "type": "gentoo"}, {"idList": ["KLA10824"], "type": "kaspersky"}, {"idList": ["EDB-ID:41025"], "type": "exploitdb"}, {"idList": ["1337DAY-ID-26652"], "type": "zdt"}, {"idList": ["OPENSUSE-SU-2016:1652-1", "OPENSUSE-SU-2016:1651-1"], "type": "suse"}, {"idList": ["DEBIAN_DSA-3598.NASL", "OPENSUSE-2016-755.NASL", "OPENSUSE-2016-754.NASL", "FREEBSD_PKG_6D4028572FBA11E69F315404A68AD561.NASL", "GENTOO_GLSA-201701-39.NASL"], "type": "nessus"}, {"idList": ["DEBIAN:DSA-3598-1:A3ACA"], "type": "debian"}, {"idList": ["ASA-201606-21"], "type": "archlinux"}, {"idList": ["6D402857-2FBA-11E6-9F31-5404A68AD561"], "type": "freebsd"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "cfb121d841a90e67a4a69271628c5f72c23c1bdb5efe6b4e8537bcbf6c10a5fb", "hashmap": [{"hash": "c460b60d42a564be76a5648d412754f1", "key": "sourceData"}, {"hash": "878dcf62fdd5e22b54965943536c1d1e", "key": "published"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "833a00f0d79f3406a00df67a5ed3a1fd", "key": "title"}, {"hash": "4edec2df77e8784d0423759e73f0c8c5", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "9e3c59f6893acff0d0687dfdb0c8f792", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "4ea1b941ed383f6d6934514a7f561e69", "key": "references"}, {"hash": "488b69cfef7e3104f96167b567f15759", "key": "cvelist"}, {"hash": "138cac4fe4c48f74d1e51f605aae78a2", "key": "href"}, {"hash": "de0046b39c61ffa78c7b307709572183", "key": "modified"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}, {"hash": "a9c8bcfe4633509f60a86b8a069fb324", "key": "pluginID"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703598", "id": "OPENVAS:1361412562310703598", "lastseen": "2018-09-01T23:47:05", "modified": "2017-12-15T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310703598", "published": "2016-06-07T00:00:00", "references": ["http://www.debian.org/security/2016/dsa-3598.html"], "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3598.nasl 8131 2017-12-15 07:30:28Z teissa $\n# Auto-generated from advisory DSA 3598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703598\");\n script_version(\"$Revision: 8131 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_name(\"Debian Security Advisory DSA 3598-1 (vlc - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-15 08:30:28 +0100 (Fri, 15 Dec 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-06-07 00:00:00 +0200 (Tue, 07 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3598.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"vlc on Debian Linux\");\n script_tag(name: \"insight\", value: \"VLC is the VideoLAN project's media\nplayer. It plays MPEG, MPEG-2, MPEG-4, DivX, MOV, WMV, QuickTime, WebM, FLAC, MP3,\nOgg/Vorbis files, DVDs, VCDs, podcasts, and multimedia streams from various network\nsources.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 2.2.4-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.4-1.\n\nWe recommend that you upgrade your vlc packages.\");\n script_tag(name: \"summary\", value: \"Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlc5\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore8\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-data\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-dbg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-nox\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-pulse\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-sdl\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Debian Security Advisory DSA 3598-1 (vlc - security update)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2018-09-01T23:47:05"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2016-5108"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "538f27c99b5566212e764c8935eb064e55a607d943347d791d7f3e9b897acd4c", "hashmap": [{"hash": "c460b60d42a564be76a5648d412754f1", "key": "sourceData"}, {"hash": "878dcf62fdd5e22b54965943536c1d1e", "key": "published"}, {"hash": "833a00f0d79f3406a00df67a5ed3a1fd", "key": "title"}, {"hash": "4edec2df77e8784d0423759e73f0c8c5", "key": "description"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9e3c59f6893acff0d0687dfdb0c8f792", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "4ea1b941ed383f6d6934514a7f561e69", "key": "references"}, {"hash": "488b69cfef7e3104f96167b567f15759", "key": "cvelist"}, {"hash": "138cac4fe4c48f74d1e51f605aae78a2", "key": "href"}, {"hash": "de0046b39c61ffa78c7b307709572183", "key": "modified"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}, {"hash": "a9c8bcfe4633509f60a86b8a069fb324", "key": "pluginID"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703598", "id": "OPENVAS:1361412562310703598", "lastseen": "2018-08-30T19:21:09", "modified": "2017-12-15T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310703598", "published": "2016-06-07T00:00:00", "references": ["http://www.debian.org/security/2016/dsa-3598.html"], "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3598.nasl 8131 2017-12-15 07:30:28Z teissa $\n# Auto-generated from advisory DSA 3598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703598\");\n script_version(\"$Revision: 8131 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_name(\"Debian Security Advisory DSA 3598-1 (vlc - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-15 08:30:28 +0100 (Fri, 15 Dec 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-06-07 00:00:00 +0200 (Tue, 07 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3598.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"vlc on Debian Linux\");\n script_tag(name: \"insight\", value: \"VLC is the VideoLAN project's media\nplayer. It plays MPEG, MPEG-2, MPEG-4, DivX, MOV, WMV, QuickTime, WebM, FLAC, MP3,\nOgg/Vorbis files, DVDs, VCDs, podcasts, and multimedia streams from various network\nsources.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 2.2.4-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.4-1.\n\nWe recommend that you upgrade your vlc packages.\");\n script_tag(name: \"summary\", value: \"Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlc5\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore8\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-data\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-dbg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-nox\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-pulse\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-sdl\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Debian Security Advisory DSA 3598-1 (vlc - security update)", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T19:21:09"}], "edition": 5, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "488b69cfef7e3104f96167b567f15759"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "description", "hash": "4edec2df77e8784d0423759e73f0c8c5"}, {"key": "href", "hash": "138cac4fe4c48f74d1e51f605aae78a2"}, {"key": "modified", "hash": "ff1b2ce4fa539c93aaea30a825c0255c"}, {"key": "naslFamily", "hash": "74562d71b087df9eabd0c21f99b132cc"}, {"key": "pluginID", "hash": "a9c8bcfe4633509f60a86b8a069fb324"}, {"key": "published", "hash": "878dcf62fdd5e22b54965943536c1d1e"}, {"key": "references", "hash": "4ea1b941ed383f6d6934514a7f561e69"}, {"key": "reporter", "hash": "9e3c59f6893acff0d0687dfdb0c8f792"}, {"key": "sourceData", "hash": "3c60581d1bb44b2e7d1055504b18600b"}, {"key": "title", "hash": "833a00f0d79f3406a00df67a5ed3a1fd"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "dba60bf5f0032a1c99ba424a97f8e516430870043d9922e56800956d8508a597", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-5108"]}, {"type": "kaspersky", "idList": ["KLA10824"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808222", "OPENVAS:1361412562310808221", "OPENVAS:703598", "OPENVAS:1361412562310851351", "OPENVAS:1361412562310851353"]}, {"type": "freebsd", "idList": ["6D402857-2FBA-11E6-9F31-5404A68AD561"]}, {"type": "archlinux", "idList": ["ASA-201606-21"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201701-39.NASL", "DEBIAN_DSA-3598.NASL", "FREEBSD_PKG_6D4028572FBA11E69F315404A68AD561.NASL", "OPENSUSE-2016-755.NASL", "OPENSUSE-2016-754.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-26652"]}, {"type": "exploitdb", "idList": ["EDB-ID:41025"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3598-1:A3ACA"]}, {"type": "gentoo", "idList": ["GLSA-201701-39"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1651-1", "OPENSUSE-SU-2016:1652-1"]}], "modified": "2019-05-29T18:35:24"}, "score": {"value": 7.6, "vector": "NONE", "modified": "2019-05-29T18:35:24"}, "vulnersScore": 7.6}, "objectVersion": "1.3", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3598.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703598\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_name(\"Debian Security Advisory DSA 3598-1 (vlc - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-07 00:00:00 +0200 (Tue, 07 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3598.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"vlc on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthis problem has been fixed in version 2.2.4-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.4-1.\n\nWe recommend that you upgrade your vlc packages.\");\n script_tag(name:\"summary\", value:\"Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libvlc5\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libvlccore8\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-data\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-dbg\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-nox\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-pulse\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-sdl\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"2.2.4-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "naslFamily": "Debian Local Security Checks", "pluginID": "1361412562310703598", "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file.", "modified": "2017-07-01T01:29:00", "id": "CVE-2016-5108", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5108", "published": "2016-06-08T15:00:00", "title": "CVE-2016-5108", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:29:05", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201701-39 (VLC: Buffer overflow)\n\n A buffer overflow was discovered in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in the VideoLAN VLC media player.\n Impact :\n\n Remote attackers, by enticing a user to execute a specially crafted QuickTime IMA file, could cause a Denial of Service condition or possibly execute arbitrary code.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2017-01-17T00:00:00", "id": "GENTOO_GLSA-201701-39.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96543", "published": "2017-01-17T00:00:00", "title": "GLSA-201701-39 : VLC: Buffer overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201701-39.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96543);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2017/01/17 14:52:19 $\");\n\n script_cve_id(\"CVE-2016-5108\");\n script_xref(name:\"GLSA\", value:\"201701-39\");\n\n script_name(english:\"GLSA-201701-39 : VLC: Buffer overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201701-39\n(VLC: Buffer overflow)\n\n A buffer overflow was discovered in the DecodeAdpcmImaQT function in\n modules/codec/adpcm.c in the VideoLAN VLC media player.\n \nImpact :\n\n Remote attackers, by enticing a user to execute a specially crafted\n QuickTime IMA file, could cause a Denial of Service condition or possibly\n execute arbitrary code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201701-39\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All VLC users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-video/vlc-2.2.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vlc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-video/vlc\", unaffected:make_list(\"ge 2.2.4\"), vulnerable:make_list(\"lt 2.2.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"VLC\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:27:08", "bulletinFamily": "scanner", "description": "Patrick Coleman discovered that missing input sanitising in the ADPCM decoder of the VLC media player may result in the execution of arbitrary code if a malformed media file is opened.", "modified": "2018-11-10T00:00:00", "id": "DEBIAN_DSA-3598.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91524", "published": "2016-06-09T00:00:00", "title": "Debian DSA-3598-1 : vlc - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3598. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91524);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:37\");\n\n script_cve_id(\"CVE-2016-5108\");\n script_xref(name:\"DSA\", value:\"3598\");\n\n script_name(english:\"Debian DSA-3598-1 : vlc - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Patrick Coleman discovered that missing input sanitising in the ADPCM\ndecoder of the VLC media player may result in the execution of\narbitrary code if a malformed media file is opened.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/vlc\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3598\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the vlc packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.2.4-1~deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:vlc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libvlc-dev\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libvlc5\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libvlccore-dev\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libvlccore8\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-data\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-dbg\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-nox\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-fluidsynth\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-jack\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-notify\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-pulse\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-samba\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-sdl\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-svg\", reference:\"2.2.4-1~deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"vlc-plugin-zvbi\", reference:\"2.2.4-1~deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-13T16:48:43", "bulletinFamily": "scanner", "description": "The VLC project reports :\n\nFix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)", "modified": "2018-11-10T00:00:00", "published": "2016-06-14T00:00:00", "id": "FREEBSD_PKG_6D4028572FBA11E69F315404A68AD561.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91581", "title": "FreeBSD : VLC -- Possibly remote code execution via crafted file (6d402857-2fba-11e6-9f31-5404a68ad561)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91581);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2018/11/10 11:49:45\");\n\n script_cve_id(\"CVE-2016-5108\");\n\n script_name(english:\"FreeBSD : VLC -- Possibly remote code execution via crafted file (6d402857-2fba-11e6-9f31-5404a68ad561)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The VLC project reports :\n\nFix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)\"\n );\n # https://vuxml.freebsd.org/freebsd/6d402857-2fba-11e6-9f31-5404a68ad561.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?338cf030\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:vlc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:vlc-qt4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"vlc<2.2.4,4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"vlc-qt4<2.2.4,4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:27:15", "bulletinFamily": "scanner", "description": "This update for vlc to version 2.1.6 fixes the following issues :\n\nThese CVE were fixed :\n\n - CVE-2016-5108: Reject invalid QuickTime IMA files (boo#984382).\n\n - CVE-2016-3941: Heap overflow in processing wav files (boo#973354).\n\nThese security issues without were fixed :\n\n - Fix heap overflow in decomp stream filter.\n\n - Fix buffer overflow in updater.\n\n - Fix potential buffer overflow in schroedinger encoder.\n\n - Fix NULL pointer dereference in DMO decoder.\n\n - Fix buffer overflow in parsing of string boxes in mp4 demuxer.\n\n - Fix SRTP integer overflow.\n\n - Fix potential crash in zip access.\n\n - Fix read overflow in Ogg demuxer.", "modified": "2016-10-13T00:00:00", "id": "OPENSUSE-2016-755.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91773", "published": "2016-06-23T00:00:00", "title": "openSUSE Security Update : vlc (openSUSE-2016-755)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-755.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91773);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/13 14:37:12 $\");\n\n script_cve_id(\"CVE-2016-3941\", \"CVE-2016-5108\");\n\n script_name(english:\"openSUSE Security Update : vlc (openSUSE-2016-755)\");\n script_summary(english:\"Check for the openSUSE-2016-755 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for vlc to version 2.1.6 fixes the following issues :\n\nThese CVE were fixed :\n\n - CVE-2016-5108: Reject invalid QuickTime IMA files\n (boo#984382).\n\n - CVE-2016-3941: Heap overflow in processing wav files\n (boo#973354).\n\nThese security issues without were fixed :\n\n - Fix heap overflow in decomp stream filter.\n\n - Fix buffer overflow in updater.\n\n - Fix potential buffer overflow in schroedinger encoder.\n\n - Fix NULL pointer dereference in DMO decoder.\n\n - Fix buffer overflow in parsing of string boxes in mp4\n demuxer.\n\n - Fix SRTP integer overflow.\n\n - Fix potential crash in zip access.\n\n - Fix read overflow in Ogg demuxer.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=973354\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984382\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected vlc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlc5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlc5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlccore7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlccore7-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-noX\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-noX-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-noX-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libvlc5-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libvlc5-debuginfo-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libvlccore7-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"libvlccore7-debuginfo-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-debuginfo-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-debugsource-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-devel-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-gnome-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-gnome-debuginfo-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-noX-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-noX-debuginfo-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-noX-lang-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-qt-2.1.6-2.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"vlc-qt-debuginfo-2.1.6-2.10.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvlc5 / libvlc5-debuginfo / libvlccore7 / libvlccore7-debuginfo / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:27:15", "bulletinFamily": "scanner", "description": "This update for vlc to 2.2.4 to fix the following security issue :\n\n - CVE-2016-5108: Fix out-of-bound write in adpcm QT IMA codec (boo#984382).\n\nThis also include an update of codecs and libraries to fix these 3rd party security issues :\n\n - CVE-2016-1514: Matroska libebml EbmlUnicodeString Heap Information Leak\n\n - CVE-2016-1515: Matroska libebml Multiple ElementList Double Free Vulnerabilities\n\n - CVE-2015-7981: The png_convert_to_rfc1123 function in png.c in libpng allowed remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read (bsc#952051).\n\n - CVE-2015-8126: Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image (bsc#954980).", "modified": "2016-10-13T00:00:00", "id": "OPENSUSE-2016-754.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91772", "published": "2016-06-23T00:00:00", "title": "openSUSE Security Update : vlc (openSUSE-2016-754)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-754.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91772);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/13 14:37:12 $\");\n\n script_cve_id(\"CVE-2015-7981\", \"CVE-2015-8126\", \"CVE-2016-1514\", \"CVE-2016-1515\", \"CVE-2016-5108\");\n\n script_name(english:\"openSUSE Security Update : vlc (openSUSE-2016-754)\");\n script_summary(english:\"Check for the openSUSE-2016-754 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for vlc to 2.2.4 to fix the following security issue :\n\n - CVE-2016-5108: Fix out-of-bound write in adpcm QT IMA\n codec (boo#984382).\n\nThis also include an update of codecs and libraries to fix these 3rd\nparty security issues :\n\n - CVE-2016-1514: Matroska libebml EbmlUnicodeString Heap\n Information Leak\n\n - CVE-2016-1515: Matroska libebml Multiple ElementList\n Double Free Vulnerabilities\n\n - CVE-2015-7981: The png_convert_to_rfc1123 function in\n png.c in libpng allowed remote attackers to obtain\n sensitive process memory information via crafted tIME\n chunk data in an image file, which triggers an\n out-of-bounds read (bsc#952051).\n\n - CVE-2015-8126: Multiple buffer overflows in the (1)\n png_set_PLTE and (2) png_get_PLTE functions in libpng\n allowed remote attackers to cause a denial of service\n (application crash) or possibly have unspecified other\n impact via a small bit-depth value in an IHDR (aka image\n header) chunk in a PNG image (bsc#954980).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=952051\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=954980\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984382\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected vlc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlc5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlc5-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlccore8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libvlccore8-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-noX\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-noX-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-noX-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:vlc-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libvlc5-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libvlc5-debuginfo-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libvlccore8-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libvlccore8-debuginfo-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-debuginfo-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-debugsource-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-devel-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-noX-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-noX-debuginfo-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-noX-lang-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-qt-2.2.4-27.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"vlc-qt-debuginfo-2.2.4-27.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvlc5 / libvlc5-debuginfo / libvlccore8 / libvlccore8-debuginfo / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:41", "bulletinFamily": "unix", "description": "\nThe VLC project reports:\n\nFix out-of-bound write in adpcm QT IMA codec (CVE-2016-5108)\n\n", "modified": "2016-05-25T00:00:00", "published": "2016-05-25T00:00:00", "id": "6D402857-2FBA-11E6-9F31-5404A68AD561", "href": "https://vuxml.freebsd.org/freebsd/6d402857-2fba-11e6-9f31-5404a68ad561.html", "title": "VLC -- Possibly remote code execution via crafted file", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:13", "bulletinFamily": "scanner", "description": "The host is installed with VLC media player\n and is prone to denial of service vulnerability.", "modified": "2018-10-24T00:00:00", "published": "2016-06-13T00:00:00", "id": "OPENVAS:1361412562310808222", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808222", "title": "VLC Media Player QuickTime IMA File Denial of Service Vulnerability June16 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vlc_media_player_ima_file_dos_vul_june16_macosx.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# VLC Media Player QuickTime IMA File Denial of Service Vulnerability June16 (Mac OS X)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:videolan:vlc_media_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808222\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-13 14:25:45 +0530 (Mon, 13 Jun 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"VLC Media Player QuickTime IMA File Denial of Service Vulnerability June16 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VLC media player\n and is prone to denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a buffer overflow\n vulnerability in the 'DecodeAdpcmImaQT' function in 'modules/codec/adpcm.c'\n script.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service (crash) and possibly execute arbitrary\n code via crafted QuickTime IMA file.\");\n\n script_tag(name:\"affected\", value:\"VideoLAN VLC media player before 2.2.4\n on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VideoLAN VLC media player version\n 2.2.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1036009\");\n script_xref(name:\"URL\", value:\"http://www.videolan.org/security/sa1601.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_vlc_media_player_detect_macosx.nasl\");\n script_mandatory_keys(\"VLC/Media/Player/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vlcVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:vlcVer, test_version:\"2.2.4\"))\n{\n report = report_fixed_ver(installed_version:vlcVer, fixed_version:\"2.2.4\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:04", "bulletinFamily": "scanner", "description": "The host is installed with VLC media player\n and is prone to denial of service vulnerability.", "modified": "2018-11-21T00:00:00", "published": "2016-06-13T00:00:00", "id": "OPENVAS:1361412562310808221", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808221", "title": "VLC Media Player QuickTime IMA File Denial of Service Vulnerability June16 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vlc_media_player_ima_file_dos_vul_june16_win.nasl 12455 2018-11-21 09:17:27Z cfischer $\n#\n# VLC Media Player QuickTime IMA File Denial of Service Vulnerability June16 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:videolan:vlc_media_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808221\");\n script_version(\"$Revision: 12455 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 10:17:27 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-13 13:25:43 +0530 (Mon, 13 Jun 2016)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"VLC Media Player QuickTime IMA File Denial of Service Vulnerability June16 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VLC media player\n and is prone to denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a buffer overflow\n vulnerability in the 'DecodeAdpcmImaQT' function in 'modules/codec/adpcm.c'\n script.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial of service (crash) and possibly execute arbitrary\n code via crafted QuickTime IMA file.\");\n\n script_tag(name:\"affected\", value:\"VideoLAN VLC media player before 2.2.4\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VideoLAN VLC media player version\n 2.2.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1036009\");\n script_xref(name:\"URL\", value:\"http://www.videolan.org/security/sa1601.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"secpod_vlc_media_player_detect_win.nasl\");\n script_mandatory_keys(\"VLCPlayer/Win/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vlcVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:vlcVer, test_version:\"2.2.4\"))\n{\n report = report_fixed_ver(installed_version:vlcVer, fixed_version:\"2.2.4\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:54:30", "bulletinFamily": "scanner", "description": "Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.", "modified": "2017-07-07T00:00:00", "published": "2016-06-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703598", "id": "OPENVAS:703598", "title": "Debian Security Advisory DSA 3598-1 (vlc - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3598.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703598);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-5108\");\n script_name(\"Debian Security Advisory DSA 3598-1 (vlc - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-06-07 00:00:00 +0200 (Tue, 07 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3598.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"vlc on Debian Linux\");\n script_tag(name: \"insight\", value: \"VLC is the VideoLAN project's media\nplayer. It plays MPEG, MPEG-2, MPEG-4, DivX, MOV, WMV, QuickTime, WebM, FLAC, MP3,\nOgg/Vorbis files, DVDs, VCDs, podcasts, and multimedia streams from various network\nsources.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 2.2.4-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.4-1.\n\nWe recommend that you upgrade your vlc packages.\");\n script_tag(name: \"summary\", value: \"Patrick Coleman discovered that missing\ninput sanitising in the ADPCM decoder of the VLC media player may result in the\nexecution of arbitrary code if a malformed media file is opened.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libvlc-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlc5\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore-dev\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libvlccore8\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-data\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-dbg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-nox\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-fluidsynth\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-jack\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-notify\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-pulse\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-samba\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-sdl\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-svg\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"vlc-plugin-zvbi\", ver:\"2.2.4-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:35:02", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2016-06-23T00:00:00", "id": "OPENVAS:1361412562310851351", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851351", "title": "SuSE Update for vlc openSUSE-SU-2016:1651-1 (vlc)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2016_1651_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for vlc openSUSE-SU-2016:1651-1 (vlc)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851351\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-23 05:24:29 +0200 (Thu, 23 Jun 2016)\");\n script_cve_id(\"CVE-2016-3941\", \"CVE-2016-5108\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for vlc openSUSE-SU-2016:1651-1 (vlc)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vlc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update for vlc to version 2.1.6 fixes the following issues:\n\n These CVE were fixed:\n\n - CVE-2016-5108: Reject invalid QuickTime IMA files (boo#984382).\n\n - CVE-2016-3941: Heap overflow in processing wav files (boo#973354).\n\n These security issues without were fixed:\n\n - Fix heap overflow in decomp stream filter.\n\n - Fix buffer overflow in updater.\n\n - Fix potential buffer overflow in schroedinger encoder.\n\n - Fix null-pointer dereference in DMO decoder.\n\n - Fix buffer overflow in parsing of string boxes in mp4 demuxer.\n\n - Fix SRTP integer overflow.\n\n - Fix potential crash in zip access.\n\n - Fix read overflow in Ogg demuxer.\");\n script_tag(name:\"affected\", value:\"vlc on openSUSE 13.2\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1651_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSE13.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvlc5\", rpm:\"libvlc5~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvlc5-debuginfo\", rpm:\"libvlc5-debuginfo~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvlccore7\", rpm:\"libvlccore7~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvlccore7-debuginfo\", rpm:\"libvlccore7-debuginfo~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc\", rpm:\"vlc~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-debuginfo\", rpm:\"vlc-debuginfo~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-debugsource\", rpm:\"vlc-debugsource~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-devel\", rpm:\"vlc-devel~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-gnome\", rpm:\"vlc-gnome~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-gnome-debuginfo\", rpm:\"vlc-gnome-debuginfo~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-noX\", rpm:\"vlc-noX~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-noX-debuginfo\", rpm:\"vlc-noX-debuginfo~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-qt\", rpm:\"vlc-qt~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-qt-debuginfo\", rpm:\"vlc-qt-debuginfo~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-noX-lang\", rpm:\"vlc-noX-lang~2.1.6~2.10.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:32", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2016-06-23T00:00:00", "id": "OPENVAS:1361412562310851353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851353", "title": "SuSE Update for vlc openSUSE-SU-2016:1652-1 (vlc)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2016_1652_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for vlc openSUSE-SU-2016:1652-1 (vlc)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851353\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-23 05:24:34 +0200 (Thu, 23 Jun 2016)\");\n script_cve_id(\"CVE-2015-7981\", \"CVE-2015-8126\", \"CVE-2016-1514\", \"CVE-2016-1515\",\n \"CVE-2016-5108\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for vlc openSUSE-SU-2016:1652-1 (vlc)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vlc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update for vlc to 2.2.4 to fix the following security issue:\n\n - CVE-2016-5108: Fix out-of-bound write in adpcm QT IMA codec (boo#984382).\n\n This also include an update of codecs and libraries to fix these 3rd party\n security issues:\n\n - CVE-2016-1514: Matroska libebml EbmlUnicodeString Heap Information Leak\n\n - CVE-2016-1515: Matroska libebml Multiple ElementList Double Free\n Vulnerabilities\n\n - CVE-2015-7981: The png_convert_to_rfc1123 function in png.c in libpng\n allowed remote attackers to obtain sensitive process memory information\n via crafted tIME chunk data in an image file, which triggers an\n out-of-bounds read (bsc#952051).\n\n - CVE-2015-8126: Multiple buffer overflows in the (1) png_set_PLTE and (2)\n png_get_PLTE functions in libpng allowed remote attackers to cause a\n denial of service (application crash) or possibly have unspecified other\n impact via a small bit-depth value in an IHDR (aka image header) chunk\n in a PNG image (bsc#954980).\");\n script_tag(name:\"affected\", value:\"vlc on openSUSE Leap 42.1\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1652_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libvlc5\", rpm:\"libvlc5~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvlc5-debuginfo\", rpm:\"libvlc5-debuginfo~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvlccore8\", rpm:\"libvlccore8~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libvlccore8-debuginfo\", rpm:\"libvlccore8-debuginfo~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc\", rpm:\"vlc~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-debuginfo\", rpm:\"vlc-debuginfo~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-debugsource\", rpm:\"vlc-debugsource~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-devel\", rpm:\"vlc-devel~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-noX\", rpm:\"vlc-noX~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-noX-debuginfo\", rpm:\"vlc-noX-debuginfo~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-qt\", rpm:\"vlc-qt~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-qt-debuginfo\", rpm:\"vlc-qt-debuginfo~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"vlc-noX-lang\", rpm:\"vlc-noX-lang~2.2.4~27.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:48", "bulletinFamily": "unix", "description": "A buffer overflow has been found in the DecodeAdpcmImaQT() function of\nVLC's QuickTime IMA decoder.", "modified": "2016-06-25T00:00:00", "published": "2016-06-25T00:00:00", "id": "ASA-201606-21", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-June/000656.html", "title": "vlc: arbitrary code execution", "type": "archlinux", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:47", "bulletinFamily": "info", "description": "### *Detect date*:\n06/08/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unknown vulnerability was found in VLC media player. By exploiting this vulnerability malicious users can cause a denial of service or execute arbitrary code. This vulnerability can be exploited remotely via specially crafted QuickTime IMA file.\n\n### *Affected products*:\nVideoLAN VLC media player earlier than 2.2.4\n\n### *Solution*:\nUpdate to the latest version \n[Get VLC media player](<http://www.videolan.org/vlc/>)\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[VLC media player](<https://threats.kaspersky.com/en/product/VLC-media-player/>)\n\n### *CVE-IDS*:\n[CVE-2016-5108](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5108>)7.5Critical", "modified": "2019-03-07T00:00:00", "published": "2016-06-08T00:00:00", "id": "KLA10824", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10824", "title": "\r KLA10824Denial of service and arbitrary code execution vulnerabilities in VideoLAN VLC media player ", "type": "kaspersky", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2017-01-12T01:58:47", "bulletinFamily": "exploit", "description": "VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow. CVE-2016-5108. Dos exploit for Windows platform", "modified": "2016-05-27T00:00:00", "published": "2016-05-27T00:00:00", "id": "EDB-ID:41025", "href": "https://www.exploit-db.com/exploits/41025/", "type": "exploitdb", "title": "VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow", "sourceData": "In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds\r\nwrite with user-controlled input.\r\n\r\nThe function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which\r\nis filled with bytes from the input stream. However, it does not check\r\nthat the number of channels in the input stream is less than or equal\r\nto the size of the buffer, resulting in an out-of-bounds write. The\r\nnumber of channels is clamped at <= 5.\r\n\r\nadpcm_ima_wav_channel_t channel[2];\r\n...\r\nfor( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )\r\n{\r\n channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|(\r\np_buffer[1] >> 7 ) ))<<7);\r\n channel[i_ch].i_step_index = p_buffer[1]&0x7f;\r\n...\r\n\r\nThe mangling of the input p_buffer above and in\r\nAdpcmImaWavExpandNibble() makes this difficult to exploit, but there\r\nis a potential for remote code execution via a malicious media file.\r\n\r\nPOC:\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41025.mov", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41025/"}], "debian": [{"lastseen": "2019-05-30T02:21:46", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3598-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJune 07, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : vlc\nCVE ID : CVE-2016-5108\n\nPatrick Coleman discovered that missing input sanitising in the ADPCM\ndecoder of the VLC media player may result in the execution of arbitrary\ncode if a malformed media file is opened.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2.2.4-1~deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.4-1.\n\nWe recommend that you upgrade your vlc packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-06-07T20:30:44", "published": "2016-06-07T20:30:44", "id": "DEBIAN:DSA-3598-1:A3ACA", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00176.html", "title": "[SECURITY] [DSA 3598-1] vlc security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-01-02T15:04:59", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2017-01-12T00:00:00", "published": "2017-01-12T00:00:00", "href": "https://0day.today/exploit/description/26652", "id": "1337DAY-ID-26652", "title": "VideoLAN VLC Media Player 2.2.1 - DecodeAdpcmImaQT Buffer Overflow Exploit", "type": "zdt", "sourceData": "In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds\r\nwrite with user-controlled input.\r\n \r\nThe function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which\r\nis filled with bytes from the input stream. However, it does not check\r\nthat the number of channels in the input stream is less than or equal\r\nto the size of the buffer, resulting in an out-of-bounds write. The\r\nnumber of channels is clamped at <= 5.\r\n \r\nadpcm_ima_wav_channel_t channel[2];\r\n...\r\nfor( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )\r\n{\r\n channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|(\r\np_buffer[1] >> 7 ) ))<<7);\r\n channel[i_ch].i_step_index = p_buffer[1]&0x7f;\r\n...\r\n \r\nThe mangling of the input p_buffer above and in\r\nAdpcmImaWavExpandNibble() makes this difficult to exploit, but there\r\nis a potential for remote code execution via a malicious media file.\r\n \r\nPOC:\r\n \r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41025.mov\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/26652"}], "gentoo": [{"lastseen": "2017-01-17T04:59:29", "bulletinFamily": "unix", "description": "### Background\n\nVLC is a cross-platform media player and streaming server.\n\n### Description\n\nA buffer overflow was discovered in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in the VideoLAN VLC media player. \n\n### Impact\n\nRemote attackers, by enticing a user to execute a specially crafted QuickTime IMA file, could cause a Denial of Service condition or possibly execute arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll VLC users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-video/vlc-2.2.4\"", "modified": "2017-01-17T00:00:00", "published": "2017-01-17T00:00:00", "id": "GLSA-201701-39", "href": "https://security.gentoo.org/glsa/201701-39", "title": "VLC: Buffer overflow", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T12:38:49", "bulletinFamily": "unix", "description": "This update for vlc to version 2.1.6 fixes the following issues:\n\n These CVE were fixed:\n - CVE-2016-5108: Reject invalid QuickTime IMA files (boo#984382).\n - CVE-2016-3941: Heap overflow in processing wav files (boo#973354).\n\n These security issues without were fixed:\n - Fix heap overflow in decomp stream filter.\n - Fix buffer overflow in updater.\n - Fix potential buffer overflow in schroedinger encoder.\n - Fix null-pointer dereference in DMO decoder.\n - Fix buffer overflow in parsing of string boxes in mp4 demuxer.\n - Fix SRTP integer overflow.\n - Fix potential crash in zip access.\n - Fix read overflow in Ogg demuxer.\n\n", "modified": "2016-06-22T14:09:48", "published": "2016-06-22T14:09:48", "id": "OPENSUSE-SU-2016:1651-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00045.html", "title": "Security update for vlc (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:50:17", "bulletinFamily": "unix", "description": "This update for vlc to 2.2.4 to fix the following security issue:\n - CVE-2016-5108: Fix out-of-bound write in adpcm QT IMA codec (boo#984382).\n\n This also include an update of codecs and libraries to fix these 3rd party\n security issues:\n - CVE-2016-1514: Matroska libebml EbmlUnicodeString Heap Information Leak\n - CVE-2016-1515: Matroska libebml Multiple ElementList Double Free\n Vulnerabilities\n - CVE-2015-7981: The png_convert_to_rfc1123 function in png.c in libpng\n allowed remote attackers to obtain sensitive process memory information\n via crafted tIME chunk data in an image file, which triggers an\n out-of-bounds read (bsc#952051).\n - CVE-2015-8126: Multiple buffer overflows in the (1) png_set_PLTE and (2)\n png_get_PLTE functions in libpng allowed remote attackers to cause a\n denial of service (application crash) or possibly have unspecified other\n impact via a small bit-depth value in an IHDR (aka image header) chunk\n in a PNG image (bsc#954980).\n\n", "modified": "2016-06-22T14:10:14", "published": "2016-06-22T14:10:14", "id": "OPENSUSE-SU-2016:1652-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00046.html", "type": "suse", "title": "Security update for vlc (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}