Multiple vulnerabilities were found in VLC, allowing for the execution of arbitrary code and Denial of Service.
Package | media-video/vlc on all architectures |
---|---|
Affected versions | < 0.8.6e |
Unaffected versions | >= 0.8.6e |
VLC is a cross-platform media player and streaming server.
Multiple vulnerabilities were found in VLC:
A remote attacker could send a long subtitle in a file that a user is enticed to open, a specially crafted MP4 input file, long SDP data, or a specially crafted HTTP request with a "Connection" header value containing format specifiers, possibly resulting in the remote execution of arbitrary code. Also, a Denial of Service could be caused and arbitrary files could be overwritten via the "demuxdump-file" option in a filename in a playlist or via an EXTVLCOPT statement in an MP3 file.
There is no known workaround at this time.
All VLC users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6e"