VLC and other media players hit by critical vulnerability

[harlan4096]

A critical code execution vulnerability has been identified in LIVE555 Streaming Media RTSP Server library used by VLC and other media players. Lilith Wyatt, the IT security researcher at Cisco Talos Intelligence Group has discovered the vulnerability.

The vulnerability exists in the HTTP packet-parsing functionality of LIVE555 RTSP Server library through which an attacker can send a crafted malicious packet to trigger the vulnerability and cause a stack-based buffer overflow resulting in code execution.

“A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability,” Wyatt explained in her blog post.

The LIVE555 streaming media contains a set of open-source C++ libraries that developed by Live Networks Inc for streaming multimedia. The library works with RTP / RTCP, RTSP or SIP protocols that support both clients and server with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis.

Full reading: http://www.ehackingnews.com/2018/10/vlc-...it-by.html