Detections
Analytics
Debian DSA-2211-1 : vlc - missing input sanitising
high Nessus Plugin ID 53304
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Ricardo Narvaja discovered that missing input sanitising in VLC, a multimedia player and streamer, could lead to the execution of arbitrary code if a user is tricked into opening a malformed media file.This update also provides updated packages for oldstable (lenny) for vulnerabilities, which have already been addressed in Debian stable (squeeze), either during the freeze or in DSA-2159(CVE-2010-0522, CVE-2010-1441, CVE-2010-1442 and CVE-2011-0531 ).
Solution
Upgrade the vlc packages.For the oldstable distribution (lenny), this problem has been fixed in version 0.8.6.h-4+lenny3.
For the stable distribution (squeeze), this problem has been fixed in version 1.1.3-1squeeze4.
See Also
https://security-tracker.debian.org/tracker/CVE-2010-0522
https://security-tracker.debian.org/tracker/CVE-2010-1441
https://security-tracker.debian.org/tracker/CVE-2010-1442
https://security-tracker.debian.org/tracker/CVE-2011-0531
Plugin Details
Severity: High
ID: 53304
File Name: debian_DSA-2211.nasl
Version: 1.16
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 4/7/2011
Updated: 1/4/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 7.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:vlc, cpe:/o:debian:debian_linux:5.0, cpe:/o:debian:debian_linux:6.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/6/2011
Exploitable With
CANVAS (White_Phosphorus)
Core Impact
Metasploit (VLC AMV Dangling Pointer Vulnerability)
Reference Information
CVE: CVE-2010-3275, CVE-2010-3276
BID: 47012
DSA: 2211