Bird_banner_small4
VideoLan VLC Media Player ParseJSS Heap Buffer Overflow
TSL ID TSL20170609-02
CVE ID(s) CVE-2017-8311
Severity Moderate
Description

A heap-based buffer overflow has been reported in VLC Media Player. The vulnerability is due to improper handling of certain directives in JACOsub subtitle files.

A remote attacker could exploit this vulnerability by enticing a victim user to open a maliciously crafted subtitle file. Successful exploitation could result in arbitrary code execution in the context of the user.

VideoLan has committed the following patch resolving this vulnerability:

http://git.videolan.org/?p=vlc.git;a=commit;h=775de716add17322f24b476439f903a829446eb6

Affected Products
  • VideoLAN VLC Media Player prior to 2.2.5.1
CVSS Score Base 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 5.0 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
http://git.videolan.org/?p=vlc.git;a=commit;h=775de716add17322f24b476439f903a829446eb6
Related Threats