Submitted via IRC for SoyCow1944
An attacker could remotely take full control over a computer system while playing untrusted videos with any version of VLC media player software prior to 3.0.7.
The hack is possible due to two high-risk security flaws (CVE-2019-5439, CVE-2019-12874) that could potentially lead to arbitrary code execution attacks. The company Videolan also addressed many other medium and low-severity security vulnerabilities in its software.
"A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively" reads the security advisory published by the company. "If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user."
Source: https://securityaffairs.co/wordpress/87433/breaking-news/vlc-player-flaws.html
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @01:26AM (2 children)
>Do we have Untrusted Textfiles
Perhaps, but they generally don't have enough data to hide large malware in side channels, whereas everybody streaming Game of Thrones or whatever from pirate sites before it's aired... yeah, that qualifies as untrusted videos.
🌻🌻 [google.com]
(Score: 3, Touché) by PiMuNu on Wednesday June 26 2019, @04:51PM (1 child)
> > Do we have Untrusted Textfiles
>
> Perhaps, but they generally don't have enough data to hide large malware in side channels,
Vim:
https://www.techworm.net/2019/06/linux-vulnerability-vim-neovim-editor.html [techworm.net]
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @08:06PM
VI: there's no accounting for people with brain damage.
🌻🌻 [google.com]