Debian Security Advisory

DSA-2257-1 vlc -- heap-based buffer overflow

Date Reported:
10 Jun 2011
Affected Packages:
vlc
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2011-2194.
More information:

Rocco Calvi discovered that the XSPF playlist parser of VLC, a multimedia player and streamer, is prone to an integer overflow resulting in a heap-based buffer overflow. This might allow an attacker to execute arbitrary code by tricking a victim into opening a specially crafted file.

The oldstable distribution (lenny) is not affected by this problem.

For the stable distribution (squeeze), this problem has been fixed in version 1.1.3-1squeeze6.

For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon.

We recommend that you upgrade your vlc packages.