blob: 40e1290149a43d8840d96b0ac88ccf0536e963c9 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200701-24">
<title>VLC media player: Format string vulnerability</title>
VLC media player improperly handles format strings, allowing for the
execution of arbitrary code.
<product type="ebuild">vlc</product>
<announced>January 26, 2007</announced>
<revised>January 26, 2007: 01</revised>
<package name="media-video/vlc" auto="yes" arch="*">
<unaffected range="ge">0.8.6-r1</unaffected>
<vulnerable range="lt">0.8.6-r1</vulnerable>
VLC media player is a multimedia player for various audio and video
Kevin Finisterre has discovered that when handling media locations,
various functions throughout VLC media player make improper use of
format strings.
<impact type="normal">
An attacker could entice a user to open a specially crafted media
location or M3U file with VLC media player, and execute arbitrary code
on the system with the rights of the user running VLC media player.
There is no known workaround at this time.
All VLC media player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-video/vlc-0.8.6-r1&quot;</code>
<uri link="">CVE-2007-0017</uri>
<metadata tag="requester" timestamp="Mon, 15 Jan 2007 23:30:46 +0000">
<metadata tag="bugReady" timestamp="Tue, 16 Jan 2007 17:08:55 +0000">
<metadata tag="submitter" timestamp="Thu, 18 Jan 2007 02:10:51 +0000">