=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN333
_____________________________________________________________________

DATE                      : 04/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : systems running VLC media player version
                                            0.8.6i and earlier.

======================================================================
http://www.videolan.org/security/sa0807.html
______________________________________________________________________

Security Advisory 0807

Summary           : Multiple overflows in VLC demuxers
Date              : August 2008
Affected versions : VLC media player 0.8.6i and earlier
ID                : VideoLAN-SA-0807
CVE reference     : CVE-2008-3732, CVE-2008-3794

Details

When parsing the header of an invalid TTA file, an integer overflow
might happen causing an heap-based buffer overflow.

When parsing a response from an MMS server, an integer overflow might
happen causing a stack-based buffer overflow.


Impact

If successful, a malicious third party could trigger execution of
arbitrary code within the context of the VLC media player. However,
because the integer overflows will cause an unusually large amount of
memory to be read, a page fault is most likely to occur (segmentation
fault on Unix systems, general protection fault on Windows), resulting
in a termination of the VLC process.


Threat mitigation

Exploitation of this issue requires the user to explicitly open a
specially crafted file, or access a malicious MMS server.


Workarounds

The user should refrain from opening files from untrusted third parties
or accessing untrusted remote sites (or disable the VLC browser
plugins), until the patch is applied.


Solution

VLC media player 0.9.1 addresses these issues. Patches for VLC media
player 0.8.6 are available from the official VLC source code repository.


Credits

This vulnerability was not responsibly disclosed. There are no credits.


References

The VideoLAN project
     http://www.videolan.org/

History

16 August 2008
     TTA vulnerability public disclosure.
20 August 2008
     Vendor notified by third parties.
     TTA source code fixes for VLC 0.9.
21 August 2008
     TTA source code fixes for VLC 0.8.6.
24 August 2008
     MMS vulnerability public disclosure.
     Vendor notified by third parties.
     MMS source code fixes for VLC 0.8.6 and 0.9.
     VLC media player 0.9.0 released.
30 August 2008
     Initial security advisory.

Rémi Denis-Courmont,
on behalf of the VideoLAN project


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================