Vulnerability Name:

CVE-2008-0984 (CCN-40892)

Assigned:2008-02-08
Published:2008-02-08
Updated:2018-10-15
Summary:The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier, as used in Miro Player 1.1 and earlier, allows remote attackers to overwrite arbitrary memory and execute arbitrary code via a malformed MP4 file.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-399
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2008-0984

Source: FULLDISC
Type: UNKNOWN
20080227 CORE-2008-0130: VLC media player chunk context validation error

Source: CCN
Type: SA29122
VLC Media Player MP4 Demuxer Arbitrary Memory Overwrite

Source: SECUNIA
Type: Vendor Advisory
29122

Source: CCN
Type: SA29153
Miro MP4 Demuxer Arbitrary Memory Overwrite

Source: SECUNIA
Type: Vendor Advisory
29153

Source: SECUNIA
Type: Vendor Advisory
29284

Source: SECUNIA
Type: Vendor Advisory
29766

Source: CCN
Type: SECTRACK ID: 1019510
VLC Media Player MPEG-4 Demuxer Memory Corruption Flaw Lets Remote Users Execute Arbitrary Code

Source: CCN
Type: CORE-2008-0130
VLC media player chunk context validation error

Source: MISC
Type: UNKNOWN
http://www.coresecurity.com/?action=item&id=2147

Source: DEBIAN
Type: UNKNOWN
DSA-1543

Source: DEBIAN
Type: DSA-1543
vlc -- several vulnerabilities

Source: CCN
Type: GLSA-200803-13
VLC: Multiple vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-200803-13

Source: CCN
Type: OSVDB ID: 43002
VLC Media Player MP4 Demuxer (mp4.c) Arbitrary Memory Overwrite

Source: CCN
Type: OSVDB ID: 43702
VLC Media Player libmp4.c MP4_ReadBox_rdrf() Function MP4 RDRF Box Handling Overflow

Source: BUGTRAQ
Type: UNKNOWN
20080227 CORE-2008-0130: VLC media player chunk context validation error

Source: BID
Type: UNKNOWN
28007

Source: CCN
Type: BID-28007
VideoLAN VLC Media Player MP4 Demuxer Remote Code Execution Vulnerability

Source: SECTRACK
Type: UNKNOWN
1019510

Source: CCN
Type: VideoLAN-SA-0802
Arbitrary memory overwrite in the MP4 demuxer

Source: CONFIRM
Type: Patch
http://www.videolan.org/security/sa0802.html

Source: VUPEN
Type: Vendor Advisory
ADV-2008-0682

Source: XF
Type: UNKNOWN
vlcmediaplayer-mp4-memory-overwrite(40892)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:miro:miro_player:*:*:*:*:*:*:*:* (Version <= 1.1)
  • OR cpe:/a:videolan:vlc_media_player:*:*:*:*:*:*:*:* (Version <= 0.8.6d)

    • Configuration CCN 1:
  • cpe:/a:videolan:vlc_media_player:0.8.6d:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:26439
    V
    		Memory corruption vulnerability in MP4 demuxer (mp4.c) for VLC media player via a malformed MP4 file
    2014-10-20
    oval:org.mitre.oval:def:7830
    P
    		DSA-1543 vlc -- several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:18478
    P
    		DSA-1543-1 vlc - several vulnerabilities
    2014-06-23
    oval:org.debian:def:1543
    V
    		several vulnerabilities
    2008-04-09
    BACK
    miro miro player *
    videolan vlc media player *
    videolan vlc media player 0.8.6d
    gentoo linux *
    debian debian linux 4.0