Summary : Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders Invalid memory access in AVI, ASF, Matroska (MKV) demuxers Invalid memory access in XSPF playlist parser Invalid memory access in ZIP archive decompressor Heap buffer overflow in RTMP access Date : 19 April 2010 Affected versions : VLC media player 1.0.5 down to 0.5.0 ID : VideoLAN-SA-1003 CVE references : CVE-2010-1441 through CVE-2010-1445
VLC media player suffers from various vulnerabilities when attempting to parse malformatted or overly long byte streams.
If successful, a malicious third party could crash the player instance or perhaps execute arbitrary code within the context of VLC media player.
Exploitation of those bugs requires the user to explicitly open specifically crafted malicious files.
The user may refrain from opening files from untrusted sources.
VLC media player 1.0.6 addresses these issues and introduces further stability fixes.
VLC media player 1.1.0 (currently in pre-release stage) addresses these issues as well and introduces further enhancements and fixes over version 1.0.6.
These vulnerabilities were discovered by the development team while working on VLC 1.1.0.