Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 454650 (CVE-2013-1954) - <media-video/vlc-2.0.6 : ASF Processing Buffer Overflow Vulnerability (CVE-2013-1954)
Summary: <media-video/vlc-2.0.6 : ASF Processing Buffer Overflow Vulnerability (CVE-20...
Alias: CVE-2013-1954
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2013-01-30 13:37 UTC by Agostino Sarubbo
Modified: 2014-11-05 22:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-30 13:37:24 UTC
From $URL :

A vulnerability has been reported in VLC Media Player, which can be exploited by malicious people 
to potentially compromise a user's system.

The vulnerability is caused due to an error in the "DemuxPacket()" function 
(modules/demux/asf/asf.c) when processing ASF files and can be exploited to cause a buffer overflow 
via a specially crafted ASF file.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into 
opening a malicious file.

The vulnerability is reported in versions 2.05 and prior.

The vulnerability will be fixed in upcoming version 2.0.6. No official solution is currently 

Provided and/or discovered by
The vendor credits Debasish Mandal.

Original Advisory
Comment 1 Agostino Sarubbo gentoo-dev 2013-04-16 12:36:22 UTC
This is fixed in 2.0.6, is ready to go to stable?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-08-31 18:50:25 UTC
CVE-2013-1954 (
  The ASF Demuxer (modules/demux/asf/asf.c) in VideoLAN VLC media player 2.0.5
  and earlier allows remote attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted ASF movie that triggers an
  out-of-bounds read.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 05:46:39 UTC
2.0.7 has been stabled in the meantime. GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-11-05 22:10:05 UTC
This issue was resolved and addressed in
 GLSA 201411-01 at
by GLSA coordinator Sean Amoss (ackle).