Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 363359 (CVE-2011-1684)

Summary: <media-video/vlc-1.1.9: Heap overflow vulnerability with corrupt MP4 files (CVE-2011-1684)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.videolan.org/security/sa1103.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-04-12 19:03:58 UTC 
From $URL:

Details

When parsing some MP4 (MPEG-4 Part 14) files, insufficient buffer size might lead to corruption of the heap.

Impact

If successful, it is unknown whether a malicious third party might be able to trigger execution of arbitrary code. Successful exploitation of this bug can crash the process of the media player.

Threat mitigation

Exploitation of this issue requires the user to explicitly open an MP4 file with some specific content.
Comment 1 Alexis Ballier gentoo-dev 2011-04-14 00:22:51 UTC 
vlc 1.1.9 is in the tree and should fix this
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-04-14 13:48:01 UTC 
(In reply to comment #1)
> vlc 1.1.9 is in the tree and should fix this

Great, thank you.

Arches, please test and mark stable:
=media-video/vlc-1.1.9
Target keywords : "alpha amd64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-04-14 17:27:52 UTC 
amd64 ok
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-04-15 07:17:57 UTC 
x86 stable
Comment 5 Christoph Mende (RETIRED) gentoo-dev 2011-04-15 21:40:59 UTC 
amd64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2011-04-16 16:50:40 UTC 
alpha/sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2011-04-22 18:02:40 UTC 
ppc done
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-26 12:09:36 UTC 
ppc64 stable, last arch done
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 13:55:36 UTC 
Thanks, everyone. Added to existing GLSA request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:22:50 UTC 
CVE-2011-1684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1684):
  Heap-based buffer overflow in the MP4_ReadBox_skcr function in libmp4.c in
  the MP4 demultiplexer in VideoLAN VLC media player before 1.1.9 allows
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted MP4 file.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-11-05 22:08:45 UTC 
This issue was resolved and addressed in
 GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml
by GLSA coordinator Sean Amoss (ackle).