VLC 0.9.8a Web UI (input) Remote Denial of Service Exploit
(See URL for exploit code)
Interestingly, if a video is playing, playback just restarts, but if not, VLC hangs. In other words, the exploit works (0.9.8a, amd64)
Stack-based buffer overflow in requests/status.xml in VLC 0.9.8a
allows remote attackers to cause a denial of service (crash) and
possible execute arbitrary code via a long input argument in an
This bug is fixed in the latest version of vlc.
The actual problem here is not DoS, ("because if you have access to the html interface and want to DoS vlc, you'd quicker to click on the "Close"
button"), but possible execution of arbitrary code.
(In reply to comment #3)
> This bug is fixed in the latest version of vlc.
are you sure? it still crashed when I tried it.
moreover there is this commit which i'm still unsure about the implications:
The Debian resource is incorrect.
This bug might be fixed in vlc 0.9.10.
> Changes between 0.9.9a and 0.9.10-git:
> * Fix default ACL of http interface
(In reply to comment #5)
> The Debian resource is incorrect.
> This bug might be fixed in vlc 0.9.10.
> > Changes between 0.9.9a and 0.9.10-git:
> > * Fix default ACL of http interface
I've added the relevant patch to 0.9.9a-r1's patchset
arches, please go for media-video/vlc-0.9.9a-r1
Sparc stable, I was already using it.
(In reply to comment #10)
> amd64 stable
05 Jul 2009; Markus Meier <email@example.com> vlc-0.9.8a.ebuild:
amd64 stable, bug #262708
(In reply to comment #6)
> > > Changes between 0.9.9a and 0.9.10-git:
> > > * Fix default ACL of http interface
> I've added the relevant patch to 0.9.9a-r1's patchset
Fail? Ok, the bug summary is wrong.
Stable on alpha.
Marked ppc stable.
Updated CVE (and the vlc-devel list too, according to Alex) says DoS only (no execution of arbitrary code), so sticking with B3.
Ready for vote, I vote NO.
Then I vote NO, too.