German IS-specialists have found a critical RCE-bug in VLC Media Player: there is no patch yet.
Specialists of the German CERT-Bund discovered a dangerous vulnerability in a popular media player that allows remote execution of arbitrary code.
The patch is already in development, but not ready yet.It is reported that the problem poses a threat to the newest version of VLC Media Player 3.0.7.1 (for Windows, Linux and UNIX) and received the identifier CVE-2019-13615.
It has been awarded a CVSS score of 9.8 out of 10.
“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files”, – warn in ESET company.
Vulnerability is of buffer overread type, and the bug root lies in the mkv :: demux_sys_t :: FreeUnused () function in modules / demux / mkv / demux.cpp triggered during a call from mkv :: Open in modules / demux / mkv / mkv .cpp.
Exploiting a vulnerability can lead not only to the execution of arbitrary code, but also to unauthorized disclosure of information, file changes and denial of service.
Read also: Following Chrome, Firefox will mark all HTTP-pages as “unsafe”
According to the bug report, the VideoLAN developers have been working on creating a patch for this problem for almost a month, but the fix is not ready yet. Judging by the status indicator, at present the patch is only 60% ready.
