Security Advisory 1601
Summary : Buffer Overflow in Processing QuickTime IMA Files Date : June 2016 Affected versions : VLC media player 2.2.3 and earlier ID : VideoLAN-SA-1601 CVE reference : CVE-2016-5108
Details
A remote user can create a specially crafted QuickTime IMA file that, when loaded by the target user, will trigger a buffer overflow in DecodeAdpcmImaQT() in 'modules/codec/adpcm.c'.
Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
Threat mitigation
Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.
ASLR and DEP help reduce exposure, but may be bypassed.
Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.
Solution
VLC media player 2.2.4 addresses the issue.
References
- The VideoLAN project
- http://www.videolan.org/
- VLC official GIT repository
- http://git.videolan.org/?p=vlc.git
- wong chee tat :)