SB2017062707 - Debian update for vlc

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2017-8310)

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to boundary error in CreateHtmlSubtitle in VideoLAN VLC, when processing subtitles. A remote unauthenticated attacker can create a specially crafted subtitle, trick the victim into loading it and trigger application crash via out-of-bounds read.

2) Heap-based buffer overflow (CVE-ID: CVE-2017-8311)

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code and take over the device.

The weakness exists due to a boundary error in ParseJSS in VideoLAN VLC when processing subtitles. A remote attacker can create specially crafted subtitle file, which when loaded by the target user with the help of affected software leads to arbitrary code execution.

Successful exploitation of the vulnerability may result in full control over the affected PC.

3) Out-of-bounds read (CVE-ID: CVE-2017-8312)

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to boundary error in ParseJSS in VideoLAN VLC, when processing subtitles. A remote unauthenticated attacker can create a specially crafted subtitle, trick the victim into loading it and trigger application crash via out-of-bounds read.

4) Out-of-bounds read (CVE-ID: CVE-2017-8313)

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to boundary error in ParseJSS in VideoLAN VLC, when processing subtitles. A remote unauthenticated attacker can create a specially crafted subtitle, trick the victim into loading it and trigger application crash via out-of-bounds read.

Remediation

Install update from vendor's website.

References

• https://www.debian.org/security/2017/dsa-3899