VideoLAN, a project and a non-profit organization.

Security Advisory 1107

Summary           : NULL dereference vulnerability in HTTP and RSTP server
Date              : 06 October 2011
Affected versions : VLC media player 1.1.11 and ealier
ID                : VideoLAN-SA-1107
CVE references    : CVE-2011-3333

Details

VLC media player suffers from a NULL dereference vulnerability in the HTTP and RTSP server component.

Impact

If successful, a malicious third party could crash the server process. Arbitrary code execution within the context of VLC media player is not believed possible.

Threat mitigation

Exploitation of those bugs requires the user to explicitly start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions.

Workarounds

Where possible, limit access to the VLC server to trusted IP addresses.

Alternatively, configure a deep inspection firewall to block malformed HTTP and RTSP requests.

Solution

VLC media player 1.1.12 addresses this issue. A source code patch is also available as an alternative.

Credits

This vulnerability was discovered by Jouni Knuutinen from Codenomicon Oy and coordinated by Antti Kiuru from the CERT-FI security unit at the Finnish Communications Regulatory Authority (FICORA).

References

The VideoLAN Project
http://www.videolan.org/
Source code patch
git commit a03617089bc045e343f94921f257cf71436f4812
Codenomicon Oy
http://www.codenomicon.com/
CERT-FI
http://www.cert-fi.fi/en/
FICORA
http://www.ficora.fi/en/

History

10 October 2011
CVE ID assigned
06 Octobery 2011
VLC 1.1.12 released
Initial advisory
26 September 2011
Issue resolved privately
Bug reported
Rémi Denis-Courmont,
on behalf of the VideoLAN project