CVE-2012-0023
HIGH severity · CVSS 9.3 · CWE-399
9.3CVSS HIGH
Summary
Double free vulnerability in the get_chunk_header function in modules/demux/ty.c in VideoLAN VLC media player 0.9.0 through 1.1.12 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TiVo (TY) file.
Impact & exploitability
Attack vectorNetwork
Attack complexity—
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)5%
AV:N/AC:M/Au:N/C:C/I:C/A:C
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://www.videolan.org/security/sa1108.html ↗
Additional information
- NVD record
- http://www.videolan.org/security/sa1108.htmlPatch
- http://secunia.com/advisories/47325Advisory
- http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=7d282fac1cc455b5a5eca2bb56375efcbf879b06
- http://securitytracker.com/id?1026449
- http://www.openwall.com/lists/oss-security/2012/10/29/5
- http://www.openwall.com/lists/oss-security/2012/10/30/9
- http://www.osvdb.org/77975
- http://www.securityfocus.com/bid/51231