VLC media player TY file parse_master buffer overflow

2008-12-04T00:00:00
ID SAINT:A8DEC172343FDC98B38B4D8416323F02
Type saint
Reporter SAINT Corporation
Modified 2008-12-04T00:00:00

Description

Added: 12/04/2008
CVE: CVE-2008-4654
BID: 31813
OSVDB: 49181

Background

VLC media player is a media player supporting various audio and video formats for multiple platforms.

Problem

A buffer overflow vulnerability in the parse_master function in the Ty demux plugin allows command execution when a user opens a specially crafted TiVo TY media file.

Resolution

Upgrade to VLC media player 0.9.5 or higher.

References

<http://www.videolan.org/security/sa0809.html>
<http://archives.neohapsis.com/archives/bugtraq/2008-10/0155.html>

Limitations

Exploit works on VLC media player 0.9.4 and requires a user to open the exploit file in VLC media player.

Platforms

Windows 2000
Windows XP