[vlc-devel] CVE-2009-1045 VLC 0.9.8a DoS (crash) and possibly arbitrary code execution

Rémi Denis-Courmont rem at videolan.org
Tue Mar 24 23:52:27 CET 2009


	Hello,

Le Tuesday 24 March 2009 19:26:02 Ján iankko Lieskovský, vous avez écrit :
>   the following potentially security vulnerability has been reported
> against VLC 0.9.8a player:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1045

This report is incorrect. The issue is a stack overflow, a plain old-style 
stack overflow. It is _not_ a (stack-based) buffer overflow. The ability to 
run arbitrary code has not been proven, as the traditional buffer overflow 
explot techniques are _not_ applicable. But this is all moot because...

...this is _not_ a _security_ issue. So users can crash their own VLC 
instances via the (Web) user interface. What is the big deal?

> Could you please address this flaw?

The bug is already fixed. I am not planning to make any security advisory. As 
far as I am concerned, it is not a security issue except for users with split 
personality.

-- 
Rémi Denis-Courmont



More information about the vlc-devel mailing list