Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday June 25 2019, @11:08PM   Printer-friendly
from the no-more-playing-around dept.

Submitted via IRC for SoyCow1944

An attacker could remotely take full control over a computer system while playing untrusted videos with any version of VLC media player software prior to 3.0.7.

The hack is possible due to two high-risk security flaws (CVE-2019-5439, CVE-2019-12874) that could potentially lead to arbitrary code execution attacks. The company Videolan also addressed many other medium and low-severity security vulnerabilities in its software.

"A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively" reads the security advisory published by the company. "If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user."

Source: https://securityaffairs.co/wordpress/87433/breaking-news/vlc-player-flaws.html


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by http on Wednesday June 26 2019, @06:20AM

    by http (1920) on Wednesday June 26 2019, @06:20AM (#860008)

    Fucking.

    --
    I browse at -1 when I have mod points. It's unsettling.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2