PT-2019-3290 · Videolan+3 · Vlc Media Player+3

Published

2019-06-11

·

Updated

2019-08-26

·

CVE-2019-12874

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions VideoLAN VLC media player versions 3.x through 3.0.7
Description The issue is related to the Matroska demuxer in the VideoLAN VLC media player, which has a double free error when parsing a malformed MKV file type. This can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service.
Recommendations For VideoLAN VLC media player versions 3.x through 3.0.7, consider updating to a version that fixes the issue in the zlib decompress extra function as soon as it becomes available. As a temporary workaround, avoid using the Matroska demuxer to parse potentially malformed MKV files until a patch is available.

Fix

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-415

Related Identifiers

ALT-PU-2019-2067
ALT-PU-2019-2509
BDU:2019-03342
CVE-2019-12874
DSA-4459-1
OPENSUSE-SU-2019:1840-1
OPENSUSE-SU-2019:1897-1
OPENSUSE-SU-2019:1909-1
OPENSUSE-SU-2019:2015-1
OPENSUSE-SU-2019_1840-1
OPENSUSE-SU-2019_1909-1
USN-4074-1

Affected Products

Alt Linux
Suse
Ubuntu
Vlc Media Player