正文

VLC媒体播放器浏览器插件任意文件覆盖漏洞

admin
admin V管理员 /0 评论 /5 阅读
0104
此篇文章发布距今已超过1221天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

VLC媒体播放器浏览器插件任意文件覆盖漏洞

  • CNNVD编号:CNNVD-200801-256
    • <!--
  • 危害等级: 中危-->
  • 危害等级: 中危
  • CVE编号: CVE-2007-6683
  • 漏洞类型: 设计错误
  • 发布时间: 2008-01-16
  • 威胁类型: 远程
  • 更新时间: 2008-01-16
  • 厂        商: videolan
  • 漏洞来源: Rémi Denis-Courmon...

漏洞简介

VideoLAN VLC media player是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV, MP3等)等。

VLC Media Player在处理畸形格式的播放列表时存在漏洞,远程攻击者可能利用此漏洞覆盖任意文件。

如果播放列表的文件名中包含有特制:demuxdump-file选项的话,或MP3文件中包含有EXTVLCOPT语句的话,则在打开上述文件时VLC播放器的浏览器插件就可能注入参数,导致覆盖任意文件。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:

VideoLAN VLC media player 0.8.6a

VideoLAN vlc-0.8.6f-win32.exe

http://www.videolan.org/mirror-geo.php?file=vlc/0.8.6f/win32/vlc-0.8.6 f-win32.exe

VideoLAN vlc-0.8.6f.tar.gz

http://download.videolan.org/pub/videolan/vlc/0.8.6f/vlc-0.8.6f.tar.gz

VideoLAN VLC media player 0.8.6c

VideoLAN vlc-0.8.6f-win32.exe

http://www.videolan.org/mirror-geo.php?file=vlc/0.8.6f/win32/vlc-0.8.6 f-win32.exe

VideoLAN vlc-0.8.6f.tar.gz

http://download.videolan.org/pub/videolan/vlc/0.8.6f/vlc-0.8.6f.tar.gz

VideoLAN VLC media player 0.8.6b

VideoLAN vlc-0.8.6f-win32.exe

http://www.videolan.org/mirror-geo.php?file=vlc/0.8.6f/win32/vlc-0.8.6 f-win32.exe

VideoLAN vlc-0.8.6f.tar.gz

http://download.videolan.org/pub/videolan/vlc/0.8.6f/vlc-0.8.6f.tar.gz

VideoLAN VLC media player 0.8.6

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_alpha.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_amd64.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_arm.deb

arm architecture (ARM)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_arm.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_hppa.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_i386.deb

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_i386.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_ia64.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_mips.deb

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_mips.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_mipsel.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_powerpc.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_s390.deb

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_s390.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_sparc.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_alpha.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_amd64.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_arm.deb

arm architecture (ARM)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_arm.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_hppa.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_i386.deb

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etc

参考网址

来源: trac.videolan.org

链接:https://trac.videolan.org/vlc/ticket/1371

来源: trac.videolan.org

链接:https://trac.videolan.org/vlc/changeset/23197

来源: BID

名称: 28712

链接:http://www.securityfocus.com/bid/28712

来源: GENTOO

名称: GLSA-200803-13

链接:http://www.gentoo.org/security/en/glsa/glsa-200803-13.xml

来源: DEBIAN

名称: DSA-1543

链接:http://www.debian.org/security/2008/dsa-1543

来源: SECUNIA

名称: 29766

链接:http://secunia.com/advisories/29766

来源: SECUNIA

名称: 29284

链接:http://secunia.com/advisories/29284

来源: OSVDB

名称: 42206

链接:http://osvdb.org/42206

来源: OSVDB

名称: 42205

链接:http://osvdb.org/42205

来源: MLIST

名称: [vlc-devel] 20071226 Regarding "obscure" security problem

链接:http://mailman.videolan.org/pipermail/vlc-devel/2007-December/037726.html

受影响实体

  • Videolan Vlc:0.8.6d  
    <!--
    2000-1-1
    -->

补丁

    暂无