[manjaro-security] [arch-security] [ASA-201712-4] vlc: arbitrary code execution
Santiago Torres-Arias via arch-security
arch-security at archlinux.org
Thu Dec 7 21:45:13 CET 2017
Arch Linux Security Advisory ASA-201712-4
Date : 2017-12-07
CVE-ID : CVE-2017-10699 CVE-2017-9300
Package : vlc
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-533
The package vlc before version 2.2.7-1 is vulnerable to arbitrary code
Upgrade to 2.2.7-1.
# pacman -Syu "vlc>=2.2.7-1"
The problems have been fixed upstream in version 2.2.7.
- CVE-2017-10699 (arbitrary code execution)
It was discovered that avcodec 2.2.x, as used in VideoLAN VLC media
player before 2.2.7, allows out-of-bounds heap memory write due to
calling memcpy() with a wrong size, leading to a denial of service
(application crash) or possibly code execution.
- CVE-2017-9300 (arbitrary code execution)
It was discovered that plugins\codec\libflac_plugin.so in VideoLAN VLC
media player before 2.2.7 allows remote attackers to cause a heap
corruption and application crash leading to denial of service or
possibly execution of arbitrary code via a crafted FLAC file.
A remote attacker is able to execute arbitrary code on the host by
providing a maliciously-crafted media file to VLC.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the manjaro-security