Video nasty: Two big bugs in VLC media player's core library
Flaws disclosed in late December await exploitation
A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others.
The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post.
"VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitised when handling a specially crafted FLV" or M2V file, Hatas said.
"This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code."
He said both were high severity holes.
VLC's developers, Videolan Software, were informed of the flaws on Boxing Day and had not issued fixes for the latest stable version, 2.1.5, by the time of disclosure 9 January. Version 2.2.0-rc2, available to testers, is not vulnerable, according to the VLC project's bug tracker.
The developers have been contacted for comment. Judging by entries in the VLC bug tracker, here and here, the flaws lie within libavcodec, a core component of the video player. This library is also used by MPlayer and other open-source software.
Videolan Software claims to have clocked up millions of downloads for Windows and Mac operating systems alone across various versions and more than 1.5 billion downloads in total. ®