CVE-2008-4654

Published: 22 October 2008

Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.

Priority

Status

Package	Release	Status
vlc Launchpad, Ubuntu, Debian	dapper	Not vulnerable (code not present)
	gutsy	Not vulnerable (code not present)
	hardy	Not vulnerable (code not present)
	intrepid	Released (0.9.4-1ubuntu3.2)
	jaunty	Not vulnerable (0.9.9a-2ubuntu1)
	upstream	Needed
	Patches: upstream: http://git.videolan.org/?p=vlc.git;a=commit;h=26d92b87bba99b5ea2e17b7eaa39c462d65e9133

References

http://www.videolan.org/security/sa0809.html
https://www.cve.org/CVERecord?id=CVE-2008-4654
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/285922
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502726

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›