There are two memory corruption vulnerabilities in some versions of the VLC open-source media player that can allow an attacker to run arbitrary code on vulnerable machines.
Neither one of the vulnerabilities has been fixed by VideoLAN, the organization that maintains VLC. Security researcher Veysel Hatas reported the vulnerabilities to VideoLAN in December and published the advisories on Full Disclosure on Friday. One of the bugs is a DEP access violation vulnerability and the other is is a write access flaw.
Both vulnerabilities affect version 2.1.5 of VLC media player, but only on the outdated Windows XP operating system. While XP is no longer supported by Microsoft and is several versions out of date, it still is used widely in developing countries and in embedded devices, as well.
“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code,” the advisory says.
The description of the second vulnerability is much the same.
“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code,” the advisory says.
There are no patches available for the vulnerabilities, according to the advisory.
