Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2011.0124.3
Buffer overflow in VLC TiVo demuxer
31 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VLC media player prior to 1.1.13
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Mobile Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-5231 CVE-2012-0023
Revision History: October 31 2012: Added CVE reference
October 26 2012: Added CVE
December 22 2011: Initial Release
OVERVIEW
Heap corruption vulnerability in VLC media player prior to 1.1.13 has
been patched.
IMPACT
An attacker could crash VLC media player using a specially crafted
file. There is also an unconfirmed risk of arbitrary code
execution. [1]
MITIGATION
Upgrading to VLC media player 1.1.13 is the recommended solution,
however there are also some workarounds: [1]
- the TY demux plugin (libty_plugin.*) can be removed manually from
the VLC plugins directory
- disabling the VLC browser plugin until the patch is applied
- following a general rule of not opening files from, or accessing
remote sites of, untrusted sources
REFERENCES
[1] Buffer overflow in VLC TiVo demuxer
http://www.videolan.org/security/sa1108.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUJBsfO4yVqjM2NGpAQJfGQ/+JH/1msNxyejyUR55RA/hKEt4NOOoVMrA
B4eQ/kPUihfa4XEBpd3nZoqT5T+mi5QQwkU8tPYLzlh+H1IWJOwU+FwKs7+M6nnk
wSarUP1goJer8C+GLl5Uu8Cbd1QI6qlUjgfBzwvZq5jHnnfjQgsSLt6l7mCVljku
HUpHzexj+ZsNHLQbtQUh2lhNuAF10JDhxlb0BfgD5vZyzSAUARkvRjkv4UqG//te
81pXv40EnixSy+Zis4eh3Vof0d/Fxmvhrk0ZBMAkEGeXMU8wUHGwp8/MweMtuF96
a/qFY3Ho0thL0Khyz0ke4cYeOiuiUvP5tZQRqk05wpEK9tPmCivi7EGLD4uhMWcY
587twDHSQXqaPG9BoSU8dMXp/rXiBu/vf9+mMluHOdeWep5/4KabElR9eQHAn2me
smNXaVgElNUqjV9qABlyIealoc0Rwu9V4ylQz9mIpvxnfjBu1fF1S6SnvK3XkhRn
P4sZP54tUlq/gLRuOBMRMe75wKwR8DP5BU6hH5LtjvIdYoYAsYWxEczSGkVCFBIf
5Mlh7gpHIj4el3SDQVpi6UzVwb3JydLvAFhmAWEFLVGXPkRfk4isOwkS2xx5x1+k
ftAgCxbTN1b5THpea6hRkJLkak69hmJZw9NPboAVIHa41JerUDyG3mcTrXzGSxmo
HuHjYrjwBvY=
=8Moj
-----END PGP SIGNATURE-----