CVE-2014-9625

Published: 24 January 2020

The GetUpdateFile function in misc/update.c in the Updater in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted update status file, aka an "integer truncation" vulnerability.

Priority

CVSS 3 base score: 7.8

Status

Package	Release	Status
vlc Launchpad, Ubuntu, Debian	Upstream	Needed





	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was not-affected)
	Patches: Upstream: https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14

Notes

Author	Note
mdeslaur	update mechanism not enabled in Debian/Ubuntu

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775866

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading