[vlc-devel] CVE-2008-3732

Rémi Denis-Courmont rem at videolan.org
Thu Aug 21 18:03:49 CEST 2008


Some asocial pirate going by the nickname of "g_" has found and published a 
buffer overflow vulnerability in the TTA file parser a few days ago. Now, 
there is nothing wrong with looking for vulnerabilities in VLC. But there is 
something wrong when you go to Bugtraq and do not even contact us - *at*all* 
(not even afterwards). Oh and the CVE guys have assigned a CVE candidate 
number without even contacting us either...

Note that the actual buffer overflow will cause VLC to try to write a very 
large amount of data. Hence it seems very unlikely to result in code 
execution, as VLC will eventually read out of bound and trigger a 
segmentation fault first. Since there are quite many ways to crash VLC with a 
corrupted input file starving VLC for memory, this is hence not a very big 
deal. Anyway, the fixes are both 0.9.0 master and 0.8.6-bugfix source code 
branches already.

Anyway, big shame on Pawel Kinski or whatever that irresponsible despicable g_ 
person's real name happens to be.

Regards to every one else,

Rémi Denis-Courmont

More information about the vlc-devel mailing list