CVE-2013-1868
published 2013-07-10CVE-2013-1868: Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code…
PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
10.98%
95.3th percentile
Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to the (1) freetype renderer and (2) HTML subtitle parser.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 2.0.5-1 (bookworm) | vlc 2.0.5-1 (bookworm) |
| videolan | vlc_media_player | <= 2.0.4 | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | >= 0 < 2.0.5-1 | 2.0.5-1 |
| videolan | vlc_media_player | >= 0 < 2.0.5-1 | 2.0.5-1 |
| videolan | vlc_media_player | >= 0 < 2.0.5-1 | 2.0.5-1 |
| videolan | vlc_media_player | >= 0 < 2.0.5-1 | 2.0.5-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack surface includes the freetype renderer and HTML subtitle parser in VLC ≤ 2.0.4; flag subtitle files (.srt, .html) and .swf files fed to vulnerable VLC versions ↗
- →Faulting call stack passes through libavcodec_plugin and libvlccore; alert on VLC child-process crashes involving these DLLs with a DEP violation event ↗
- ·PoC was tested only on Windows XP SP3 (x86 user mode); exploitability on other platforms or OS versions is unconfirmed from these sources ↗
- ·The vulnerability is fixed in VLC 2.0.5-1 (Debian); detections targeting the crash path are only relevant for VLC ≤ 2.0.4 ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cgh8-877w-m8q2: Multiple buffer overflows in VideoLAN VLC media player 2
ghsa_unreviewed·2022-05-17
CVE-2013-1868 [HIGH] CWE-119 GHSA-cgh8-877w-m8q2: Multiple buffer overflows in VideoLAN VLC media player 2
Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to the (1) freetype renderer and (2) HTML subtitle parser.
OSV
CVE-2013-1868: Multiple buffer overflows in VideoLAN VLC media player 2
osv·2013-07-10·CVSS 9.3
CVE-2013-1868 [CRITICAL] CVE-2013-1868: Multiple buffer overflows in VideoLAN VLC media player 2
Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to the (1) freetype renderer and (2) HTML subtitle parser.
Debian
CVE-2013-1868: vlc - Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow r...
vendor_debian·2013·CVSS 9.3
CVE-2013-1868 [CRITICAL] CVE-2013-1868: vlc - Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow r...
Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to the (1) freetype renderer and (2) HTML subtitle parser.
Scope: local
bookworm: resolved (fixed in 2.0.5-1)
bullseye: resolved (fixed in 2.0.5-1)
forky: resolved (fixed in 2.0.5-1)
sid: resolved (fixed in 2.0.5-1)
trixie: resolved (fixed in 2.0.5-1)
No detection rules found.
http://marc.info/?l=oss-security&m=136367945627336&w=2http://secunia.com/advisories/59793http://www.securityfocus.com/bid/57079http://www.videolan.org/security/sa1301.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17226http://marc.info/?l=oss-security&m=136367945627336&w=2http://secunia.com/advisories/59793http://www.securityfocus.com/bid/57079http://www.videolan.org/security/sa1301.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17226
2013-07-10
Published