Version 1.1.13 of the open source VLC Media Player closes a hole found in previous releases that could be exploited by an attacker to compromise a user's system. The maintenance and security update addresses a buffer overflow vulnerability in the VLC TiVo demuxer that could be used to crash the application's process. The VideoLAN project developers note that, on some systems, it may also be possible to execute arbitrary code on a victim's system.

For an attack to be successful, a user must first open a specially crafted file or a malicious web site. Versions 0.9.0 to 1.1.12 are affected; upgrading to 1.1.13 fixes the issue. Alternatively, users can manually remove the TY demux plug-in ( libty_plugin.* ) from the VLC plug-in directory, preventing TiVo files from opening in the player. According to the 1.1.13 shortlog, the release also includes translation updates and fixes for several other bugs.

While version 1.1.13 of the VLC Media Player has already been announced on the project's News page, the NEWS file has yet to be updated and pre-compiled binaries are not available to download at the time of writing. However, the GPLv2 licensed source code for VLC 1.1.13 is provided.

See also:

Buffer overflow in VLC TiVo demuxer, a VideoLAN project security advisory.

(crve)