[vlc-devel] CVE-2009-1045 VLC 0.9.8a DoS (crash) and possibly arbitrary code execution
Rémi Denis-Courmont
rem at videolan.org
Tue Mar 24 23:52:27 CET 2009
Hello,
Le Tuesday 24 March 2009 19:26:02 Ján iankko Lieskovský, vous avez écrit :
> the following potentially security vulnerability has been reported
> against VLC 0.9.8a player:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1045
This report is incorrect. The issue is a stack overflow, a plain old-style
stack overflow. It is _not_ a (stack-based) buffer overflow. The ability to
run arbitrary code has not been proven, as the traditional buffer overflow
explot techniques are _not_ applicable. But this is all moot because...
...this is _not_ a _security_ issue. So users can crash their own VLC
instances via the (Web) user interface. What is the big deal?
> Could you please address this flaw?
The bug is already fixed. I am not planning to make any security advisory. As
far as I am concerned, it is not a security issue except for users with split
personality.
--
Rémi Denis-Courmont
More information about the vlc-devel
mailing list