Headline
CVE-2022-41325: VideoLAN Security Bulletin VLC 3.0.18
An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions.
Summary : Multiple vulnerabilities fixed in VLC media player Date : November 2022 Affected versions : VLC media player 3.0.17 and earlier ID : VideoLAN-SB-VLC-3018
Details
A denial of service could be triggered with a wrong mp4 file (div by 0) (#27202)
Fix crashes with multiple files due to double free (#26930)
A denial of service could be triggered with wrong oog file (null pointer dereference) (#27294)
Potential buffer overflow in the vnc module could trigger remote code execution if a malicious vnc URL is deliberately played (#27335, CVE-2022-41325)
Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerability
Threat mitigation
Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.
Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.
Solution
VLC media player 3.0.18 addresses the issue.
Credits
The vnc module vulnerability was reported and fixed by 0xMitsurugi from Synacktiv (#27335, CVE-2022-41325)
References
The VideoLAN project
http://www.videolan.org/
VLC official GIT repository
http://git.videolan.org/?p=vlc.git
Related news
Gentoo Linux Security Advisory 202409-17 - Multiple vulnerabilities have been discovered in VLC, the worst of which could result in arbitrary code execution. Versions greater than or equal to 3.0.20 are affected.
Ubuntu Security Notice 6180-1 - It was discovered that VLC could be made to read out of bounds when decoding image files. If a user were tricked into opening a crafted image file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that VLC could be made to write out of bounds when processing H.264 video files. If a user were tricked into opening a crafted H.264 video file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Debian Linux Security Advisory 5297-1 - A buffer overflow was discovered in the VNC module of the VLC media player, which could result in the execution of arbitrary code.