CVE-2013-3245

2013-07-1000:00:00

ubuntu.com

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.01 Low

EPSS

Percentile

83.9%

JSON

DISPUTED plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player
2.0.7, and possibly other versions, allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a crafted
MKV file, possibly involving an integer overflow and out-of-bounds read or
heap-based buffer overflow, or an uncaught exception. NOTE: the vendor
disputes the severity and claimed vulnerability type of this issue, stating
“This PoC crashes VLC, indeed, but does nothing more… this is not an
integer overflow error, but an uncaught exception and I doubt that it is
exploitable. This uncaught exception makes VLC abort, not execute random
code, on my Linux 64bits machine.” A PoC posted by the original researcher
shows signs of an attacker-controlled out-of-bounds read, but the affected
instruction does not involve a register that directly influences control
flow.

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchvlc< 2.0.8-0ubuntu0.12.04.1UNKNOWN
ubuntu12.10noarchvlc< 2.0.8-0ubuntu0.12.10.1UNKNOWN
ubuntu13.04noarchvlc< 2.0.8-0ubuntu0.13.04.1UNKNOWN
ubuntu13.10noarchvlc< 2.0.8-1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	vlc	< 2.0.8-0ubuntu0.12.04.1	UNKNOWN
ubuntu	12.10	noarch	vlc	< 2.0.8-0ubuntu0.12.10.1	UNKNOWN
ubuntu	13.04	noarch	vlc	< 2.0.8-0ubuntu0.13.04.1	UNKNOWN
ubuntu	13.10	noarch	vlc	< 2.0.8-1	UNKNOWN