VLC media player: Format string vulnerability — GLSA 200701-24

VLC media player improperly handles format strings, allowing for the execution of arbitrary code.

Affected Packages

media-video/vlc on all architectures
Affected versions < 0.8.6-r1
Unaffected versions >= 0.8.6-r1

Background

VLC media player is a multimedia player for various audio and video formats.

Description

Kevin Finisterre has discovered that when handling media locations, various functions throughout VLC media player make improper use of format strings.

Impact

An attacker could entice a user to open a specially crafted media location or M3U file with VLC media player, and execute arbitrary code on the system with the rights of the user running VLC media player.

Workaround

There is no known workaround at this time.

Resolution

All VLC media player users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6-r1"

References

Release Date
January 26, 2007

Latest Revision
January 26, 2007: 01

Severity
normal

Exploitable
remote

Bugzilla entries