Summary : Heap overflows in VLC Real RTSP support. Date : March 2012 Affected versions : VLC media player all versions up to 2.0.1 ID : VideoLAN-SA-1202 CVE reference : CVE-2012-1776
Details will be known later.
If successful, a malicious third party could crash the VLC media player process. Arbitrary code execution could be possible on some systems.
Exploitation of this issue requires the user to explicitly open a specially crafted file.
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.
Alternatively, the realrtsp access plugin (libaccess_realrtsp_plugin.*
)
can be removed manually from the VLC plugin installation directory.
This will prevent opening of Real rtsp streams.
VLC media player 2.0.1 addresses this issue. Patches for older versions will be available through the git repositories
This vulnerability was reported by Florent Hochwelker, aka TaPiOn.