FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

vlc -- arbitrary pointer dereference vulnerability

Affected packages
vlc < 2.2.1_5,4

Details

VuXML ID a0a4e24c-4760-11e5-9391-3c970e169bc2
Discovery 2015-08-20
Entry 2015-08-20

oCERT reports:

The stable VLC version suffers from an arbitrary pointer dereference vulnerability.

The vulnerability affects the 3GP file format parser, insufficient restrictions on a writable buffer can be exploited to execute arbitrary code via the heap memory. A specific 3GP file can be crafted to trigger the vulnerability.

Credit: vulnerability reported by Loren Maggiore of Trail of Bits.

References

CVE Name CVE-2015-5949
URL https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd
URL https://www.ocert.org/advisories/ocert-2015-009.html