CVE-2007-0017

Name of the Vulnerable Software and Affected Versions: VideoLAN VLC versions 0.7.0 through 0.8.6

Description: The issue is related to multiple format string vulnerabilities in the cdio log handler function in the CDDA plugin and the cdio log handler and vcd log handler functions in the VCDX plugin. These vulnerabilities allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI. For example, this can be demonstrated by a udp://-- URI in an M3U file. The exploitation of this issue is associated with the use of uncontrolled format strings, which can enable a remote attacker to execute arbitrary code.

Recommendations: For versions 0.7.0 through 0.8.6, consider disabling the cdio log handler and vcd log handler functions in the affected plugins as a temporary workaround until a patch is available. Restrict access to the CDDA and VCDX plugins to minimize the risk of exploitation. Avoid using the affected functions in the plugins until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.