DescriptionStack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vlc (PTS)wheezy, wheezy (security)2.0.3-5+deb7u2fixed
jessie (security), jessie2.2.7-1~deb8u1fixed
stretch (security), stretch2.2.7-1~deb9u1fixed
buster, sid3.0.1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vlcsourceetch(not affected)
vlcsourcelenny(not affected)


[etch] - vlc <not-affected> (Vulnerable code not present in 0.8.x)
[lenny] - vlc <not-affected> (Vulnerable code not present in 0.8.x)

Search for package or bug name: Reporting problems