Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 397553

Summary: media-video/vlc Heap Corruption in VLC TiVo demuxer (CVE-2012-0023)
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: aballier, media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.videolan.org/security/sa1108.html
Whiteboard: B2 [ebuild]
Package list:
Runtime testing required: ---

Description Michael Harrison 2012-01-03 22:01:24 UTC 
When parsing the header of an invalid TY file, the heap might be corrupted. 

Commit:
http://git.videolan.org/?p=vlc.git;a=commith=7d282fac1cc455b5a5eca2bb56375efcbf879b06


Workarounds:
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Alternatively, the TY demux plugin (libty_plugin.*) can be removed manually from the VLC plugin installation directory. This will prevent opening of TiVo files.
Comment 1 Michael Harrison 2012-01-03 23:42:36 UTC 

*** This bug has been marked as a duplicate of bug 395543 ***