CVE-2008-2147 & CVE-2008-2430
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vlc (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: vlc
Hi all,
just came in the mail (link to Gentoo's announcement)
http://
Description
===========
* Remi Denis-Courmont reported that VLC loads plugins from the
current working directory in an unsafe manner (CVE-2008-2147).
* Alin Rad Pop (Secunia Research) reported an integer overflow error
in the Open() function in the file modules/demux/wav.c
(CVE-
Impact
======
A remote attacker could entice a user to open a specially crafted .wav
file, and a local attacker could entice a user to run VLC from a
directory containing specially crafted modules, possibly resulting in
the execution of arbitrary code with the privileges of the user running
the application.
Workaround
==========
There is no known workaround at this time.