Debian update for vlc

Published: 2019-01-13 12:27:56
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-19857
CVSSv3 5.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CWE ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software vlc (Debian package)
Vulnerable software versions vlc (Debian package) 3.0.5-1
vlc (Debian package) 3.0.5-2
vlc (Debian package) 3.0.4-4

Show more

Vendor URL Debian

Security Advisory

1) Improper input validation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of magic cookies in Core Audio Format (CAF) files, which could result in an uninitialized memory read in the CAF demuxer. A remote attacker can trick the victim into accessing a CAF file that submits malicious input, trigger typecast that converts a possibly negative return value to an unsigned integer in the ReadKukiChunk() function and cause the service to crash.

Remediation

Update the affected package to version: 3.0.6-0+deb9u1

External links

https://www.debian.org/security/2019/dsa-4366

Back to List