Security Information / 2011 / Security Information -- DSA-2257-1 vlc

Debian Security Advisory

DSA-2257-1 vlc -- heap-based buffer overflow

Date Reported:

10 Jun 2011

Affected Packages:

vlc

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2011-2194.

More information:

Rocco Calvi discovered that the XSPF playlist parser of VLC, a multimedia player and streamer, is prone to an integer overflow resulting in a heap-based buffer overflow. This might allow an attacker to execute arbitrary code by tricking a victim into opening a specially crafted file.

The oldstable distribution (lenny) is not affected by this problem.

For the stable distribution (squeeze), this problem has been fixed in version 1.1.3-1squeeze6.

For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon.

We recommend that you upgrade your vlc packages.