VideoLAN, a project and a non-profit organization.

Security Advisory 1002

Summary           : Buffer overflow in ancient VLC media player 
Date              : March 2010
Affected versions : VLC media player 0.8.6 to 0.8.6d 
ID                : VideoLAN-SA-1002
CVE reference     : CVE-2010-0364

Details

fl0 fl0w claims to have found a buffer overflow in SSA subtitles parsing in VLC media player 0.8.6 to 0.8.6d. This is actually a subset of a collections of buffer overflows discovered and fixed in late 2007 - early 2008.

See our advisory VideoLAN-SA-0801 for more informations.

Threat mitigation

This issue only affects users of very old VLC versions.

Solution

Update to the latest VLC media player (1.0.5 at the time of writing).

References

The VideoLAN project
http://www.videolan.org/

History

February 2010
Vendor awareness.
22 March 2010
Initial security advisory.

Christophe Mutricy,
on behalf of the VideoLAN project