Thursday, April 24, 2008 10:38 AM
cmosby
DivX Player Subtitle Parsing Buffer Overflow Vulnerabilities - Advisories - Secunia
DivX Player Subtitle Parsing Buffer Overflow Vulnerabilities
Secunia Advisory:
SA29780
Release Date:
2008-04-16
Last Update:
2008-04-22
Critical:
Highly critical
Impact:
System access
Where:
From remote
Solution Status:
Unpatched
Software:
DivX for Windows 6.x
DivX Player 6.x
CVE reference:
CVE-2008-1912 (Secunia mirror)
Description:
Some vulnerabilities have been discovered in DivX Player, which can potentially be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to boundary errors in the processing of subtitle files (*.SRT, *.SUB). These can be exploited to cause stack-based buffer overflows via a specially crafted, overly long subtitle line contained in a malicious SRT or SUB file.
Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted SRT or SUB file.
The vulnerability is confirmed in DivX Player 6.7 (build 6.7.0.22). Other versions may also be affected.
Solution:
Disable the automatic loading of subtitles. Do not open untrusted subtitles.
Provided and/or discovered by:
securfrog
Additional information provided by Secunia Research.
Changelog:
2008-04-17: Updated advisory based on additional information from Secunia Research.
2008-04-22: Added CVE reference.
Original Advisory:
http://milw0rm.com/exploits/5453
|
DivX Player Subtitle Parsing Buffer Overflow Vulnerabilities - Advisories - Secunia
Filed under: Patch Management, Internet Applications, Software Vulnerabilites