Allele Security Alert
ASA-2019-00386
Identifier(s)
ASA-2019-00386, CVE-2019-12874, VideoLAN-SA-1901
Title
Double free in zlib_decompress_extra()
Vendor(s)
VideoLAN
Product(s)
VLC media player
Affected version(s)
VLC media player versions 3.0.6 and earlier
Fixed version(s)
VLC media player version 3.0.7
Proof of concept
Unknown
Description
A remote user can create some specially crafted mkv files that, when loaded by the target user, will trigger a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively.
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
Technical details
Unknown
Credits
Symeon Paraschoudis
Reference(s)
Read buffer overflow & double free
https://www.videolan.org/security/sa1901.html
VLC 3.0.7 and security
http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security
NEWS
https://www.videolan.org/developers/vlc-branch/NEWS
CVE-2019-12874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12874
CVE-2019-12874
https://nvd.nist.gov/vuln/detail/CVE-2019-12874
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 27, 2019