Multiple vulnerabilities affecting VLC which can lead to arbitrary code execution or a denial of service condition (application crash). Three separate vulnerabilities have been identified and patched with the most recent update. The first affects the way that VLC handles Ogg/Vorbis, Ogg/Theora content. The second affects the way that VLC handles malicious CDDA content, and the final vulnerability affects the way that VLC handles SAP traffic. All vulnerabilities are format string vulnerabilities.

Description:

It has been discovered that the cross-platform media player VLC is vulnerable to multiple issues that could allow remote attackers to take control of vulnerable systems (if SAP service discovery is enabled), or allow an attacker to take control of a system if a victim can be convinced to interact with a malicious media file or Audio CD with a malicious CDDB entry.

Mitigation:

Update to version 0.8.6c at the earliest opportunity.

Updates:

http://www.videolan.org/vlc/

Source:

http://www.videolan.org/sa0702.html

Exploits:

http://www.videolan.org/sa0702.html