Outdated libmodplug Vulnerability in 1.1.8
Posted: 10 Apr 2011 03:54
by zarathustra2k1
A critical zero-day vulnerability has been discovered in VLC media player and can potentially be exploited to execute arbitrary code on a user's system.
http://news.softpedia.com/news/VLC-Medi ... 4016.shtml
Will 1.1.9 have libmodplug 0.8.8.2? I'm currently disabling all VLC browser plugins until so.
Your thoughts please.
Re: Outdated libmodplug Vulnerability in 1.1.8
Posted: 10 Apr 2011 09:17
by RĂ©mi Denis-Courmont
There is no answer to that question. VLC versions identify uniquely a VLC source code release. The VLC source code does not contain libmodplug. So VLC version numbers cannot be matched 1:1 to a version of libmodplug or any other library.
In particular:
- some VLC builds use libmodplug from the operating system, whatever version that it provides,
- some VLC builds are statically linked to libmodplug 0.8.8.2,
- some builds are staticallyl inked to an older/buggy version (0.8.8.1, 0.8.7, etc),
- some builds don't support libmodplug at all.
Re: Outdated libmodplug Vulnerability in 1.1.8
Posted: 10 Apr 2011 11:04
by Jean-Baptiste Kempf
A critical zero-day vulnerability has been discovered in VLC media player and can potentially be exploited to execute arbitrary code on a user's system.
http://news.softpedia.com/news/VLC-Medi ... 4016.shtml
Will 1.1.9 have libmodplug 0.8.8.2? I'm currently disabling all VLC browser plugins until so.
Your thoughts please.
ftp://ftp.videolan.org/pub/videolan/tes ... 1-modplug/
Re: Outdated libmodplug Vulnerability in 1.1.8
Posted: 10 Apr 2011 23:30
by zarathustra2k1
Thank you for the information.