Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2011.0124.3 Buffer overflow in VLC TiVo demuxer 31 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VLC media player prior to 1.1.13 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Mobile Device Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-5231 CVE-2012-0023 Revision History: October 31 2012: Added CVE reference October 26 2012: Added CVE December 22 2011: Initial Release OVERVIEW Heap corruption vulnerability in VLC media player prior to 1.1.13 has been patched. IMPACT An attacker could crash VLC media player using a specially crafted file. There is also an unconfirmed risk of arbitrary code execution. [1] MITIGATION Upgrading to VLC media player 1.1.13 is the recommended solution, however there are also some workarounds: [1] - the TY demux plugin (libty_plugin.*) can be removed manually from the VLC plugins directory - disabling the VLC browser plugin until the patch is applied - following a general rule of not opening files from, or accessing remote sites of, untrusted sources REFERENCES [1] Buffer overflow in VLC TiVo demuxer http://www.videolan.org/security/sa1108.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUJBsfO4yVqjM2NGpAQJfGQ/+JH/1msNxyejyUR55RA/hKEt4NOOoVMrA B4eQ/kPUihfa4XEBpd3nZoqT5T+mi5QQwkU8tPYLzlh+H1IWJOwU+FwKs7+M6nnk wSarUP1goJer8C+GLl5Uu8Cbd1QI6qlUjgfBzwvZq5jHnnfjQgsSLt6l7mCVljku HUpHzexj+ZsNHLQbtQUh2lhNuAF10JDhxlb0BfgD5vZyzSAUARkvRjkv4UqG//te 81pXv40EnixSy+Zis4eh3Vof0d/Fxmvhrk0ZBMAkEGeXMU8wUHGwp8/MweMtuF96 a/qFY3Ho0thL0Khyz0ke4cYeOiuiUvP5tZQRqk05wpEK9tPmCivi7EGLD4uhMWcY 587twDHSQXqaPG9BoSU8dMXp/rXiBu/vf9+mMluHOdeWep5/4KabElR9eQHAn2me smNXaVgElNUqjV9qABlyIealoc0Rwu9V4ylQz9mIpvxnfjBu1fF1S6SnvK3XkhRn P4sZP54tUlq/gLRuOBMRMe75wKwR8DP5BU6hH5LtjvIdYoYAsYWxEczSGkVCFBIf 5Mlh7gpHIj4el3SDQVpi6UzVwb3JydLvAFhmAWEFLVGXPkRfk4isOwkS2xx5x1+k ftAgCxbTN1b5THpea6hRkJLkak69hmJZw9NPboAVIHa41JerUDyG3mcTrXzGSxmo HuHjYrjwBvY= =8Moj -----END PGP SIGNATURE-----