oss-sec mailing list archives
Re: CVE request: VLC media player - DLL preloading vulnerability
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 25 Aug 2010 19:56:57 -0400 (EDT)
We will have one CVE per vulnerable application. Yes, it's going to be very painful. Roughly, the rationale is: "the product does not protect against a common configuration/behavior in its environment."
VLC was exploitable by loading wintab32.dll, a component request by Qt, as shown in http://www.exploit-db.com/exploits/14750/
Use CVE-2010-3124
There's another possibility with DMO.
Is this a distinct product outside of VLC, or is it just a different component / attack vector?
- Steve
Current thread:
- CVE request: VLC media player - DLL preloading vulnerability Geoffroy Couprie (Aug 25)
- Re: CVE request: VLC media player - DLL preloading vulnerability Steven M. Christey (Aug 25)
- Re: CVE request: VLC media player - DLL preloading vulnerability Geoffroy Couprie (Aug 26)
- Re: CVE request: VLC media player - DLL preloading vulnerability Steven M. Christey (Aug 25)