VLC Media Player Closes Hole

Wednesday, October 12, 2011 @ 01:10 PM gHale


Version 1.1.12 of the VLC Media Player from the VideoLAN project development team sent out a maintenance and security update that addresses a NULL “dereference” vulnerability in the HTTP and RTSP server component that an attacker could exploit to crash the server process.

For an attack to be successful, the user must start the VLC server and manually start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions. The affected versions are up to and including 1.1.11. The issue “does not affect standard usage of the player,” the developers said.

RELATED STORIES
Cogent Patches DataHub Holes
Beckhoff Patches PoC Weakness
Rockwell Adds More Platform Patches
PoC Holes from SCADA Providers

VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols.

Release 13 of the 1.1.x branch of VLC also brings improvements for audio output: It adds support for AC-3 and DTS pass through included in version 1.0 of PulseAudio, has fixes for PulseAudio synchronization, and better support for Mac OS X 10.7 Lion. Other changes include Unix port compatibility updates, translation updates and fixes for bugs that cause VLC to crash on Japanese locale Mac OS X systems.

Click here to find more details about the update, including a full list of changes. VLC 1.1.12 is available to download from the project’s web site.



Leave a Reply

You must be logged in to post a comment.