Secunia has published an advisory about new vulnerabilities found in VLC Media Player.
I just picked up an advisory from Secunia about VLC Media Player vulnerabilities. There are 9 vulnerabilities. Three are related to A/52, DTS and MPEG audio decoders. Three are about the AVI, ASF and Matroska demuxer. The other three are about the XSPF playlist, the ZIP and RTPM implementation.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.
There is no CVE Reference and unfortunately cannot figure out a CVSS score. You can find the original advisory (VideoLAN-SA-1003) here:
There are two interesting things about this one. One, as of right now (April 25, 2010 at 22:39 GMT-6), the fixed version for Windows (1.0.6) is still not available on the Video LAN web site. That’s a bit unusual because, typically, the vendor likes to make sure the patch/updated version of the vulnerable software is available before publishing the vulnerability on their on web site. The second thing that’s interesting is that the auto-update does not seem to work in my installed version (1.0.1).
I thought that maybe I had a problem in my home LAN that caused the auto-update to fail. I fired up Wireshark and did a quick sniff of the traffic when trying to get VLC to update. I used the Follow TCP Stream feature and it was quickly apparent that the problem wasn’t with me at all. The GET that VLC sent got a 206 Partial Content
HTTP/1.1 206 Partial Content
Last-Modified: Mon, 01 Feb 2010 23:15:18 GMT
Content-Range: bytes 0-485/486
Date: Mon, 26 Apr 2010 04:24:08 GMT
Due to a bug in the update feature of your on of VLC, the automatic download of the new VLC will fail.
You have to download VLC 1.0.5 from VideoLAN’s website: http://www.videolan.org
VLC 1.0.5 is a minor release of 1.0.x version of VLC. It fixes a few bugs, updates the codecs and the compiler for Windows, and should improve decoding speed. It also improves and update many translations.
Well, might as well download 1.0.5 for now and use the auto-update to check the 1.0.6 fix.