Critical vulnerabilities in VLC Media Player could allow an attacker to perform arbitrary code execution

• The double-free vulnerability tracked as CVE-2019-12874 is marked as a high-severity bug with a CVSS v3 score of 9.8.
• The buffer overflow vulnerability tracked as CVE-2019-5439 resides in the ReadFrame (demux/avi/avi.c) function.

A security researcher from Pen Test Partners, Symeon Paraschoudis uncovered a critical double-free vulnerability in VLC media player that could allow an attacker to execute arbitrary code on target systems.

Double-free vulnerability

• The double-free vulnerability tracked as CVE-2019-12874 is marked as a high-severity bug with a CVSS v3 score of 9.8.
• The vulnerability resides in the zlib_decompress_extra function of VLC media player that could be triggered during the parsing of a malformed MKV file type within the Matroska demuxer.
• In order to trigger the vulnerability in zlib_decompress_extra() (demux/mkv/utils.cpp), an attacker requires to create a specially crafted malicious file.

Buffer overflow vulnerability

The second vulnerability which was reported through the HackerOne bug bounty program is a buffer overflow vulnerability.

• The vulnerability tracked as CVE-2019-5439 resides in the ReadFrame (demux/avi/avi.c) function.
• This buffer overflow vulnerability could allow an attacker to trigger either a crash of VLC or an arbitrary code execution.
• The vulnerability arises from the issue that the ReadFrame function uses a variable obtained directly from the file without any strict check being performed before the memory operation (memmove, memcpy).
• This issue allows the buffer overflow to be triggered. However, to trigger the vulnerability, an attacker requires to create a specially crafted file ( avi or mkv files) and trick a user into opening the malicious file.

Both vulnerabilities patched

VideoLAN has released patches in the latest version VLC 3.0.7 that addresses both the vulnerabilities.

“The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied,” VideoLAN recommends in the advisory.