Bugtraqmailing list archives
Secunia Research: DivX Web Player Stream Format Chunk Buffer Overflow
From: Secunia Research <remove-vuln () secunia com>
Date: Wed, 15 Apr 2009 09:37:15 +0200
====================================================================== Secunia Research 15/04/2009 - DivX Web Player Stream Format Chunk Buffer Overflow -====================================================================== Table of ContentsAffected Software....................................................1Severity.............................................................2Vendor's Description of Software.....................................3Description of Vulnerability.........................................4Solution.............................................................5Time Table...........................................................6Credits..............................................................7References...........................................................8About Secunia........................................................9Verification........................................................10====================================================================== 1) Affected Software * DivX Web Player version 1.4.2.7NOTE: Other versions may also be affected.====================================================================== 2) Severity Rating: Highly critical Impact: System accessWhere: Remote====================================================================== 3) Vendor's Description of Software "DivX Web Player lets you play up to HD-quality DivX® video in your web browser. You can also use DivX Web Player to easily embed DivX videos onto your website or blog."Product Link:http://www.divx.com/en/web-player-windows====================================================================== 4) Description of VulnerabilitySecunia Research has discovered a vulnerability in DivX Web Player, which can be exploited by malicious people to compromise a user's system.The vulnerability is caused due to a signedness error in the processing of "STRF" (Stream Format) chunks. This can be exploited tocause a heap-based buffer overflow via a specially crafted DivX file.Successful exploitation may allow execution of arbitrary code by tricking a user into visiting a malicious website.====================================================================== 5) Solution Update to version 1.4.3.4, included in an updated DivX bundle.====================================================================== 6) Time Table 17/12/2008 - Vendor notified.18/12/2008 - Vendor response.11/03/2009 - DivX Web Player 1.4.3 released in a bundle update.15/04/2009 - Public disclosure.====================================================================== 7) Credits Discovered by Alin Rad Pop, Secunia Research.====================================================================== 8) ReferencesThe Common Vulnerabilities and Exposures (CVE) project has assignedCVE-2008-5259 for the vulnerability.====================================================================== 9) About SecuniaSecunia offers vulnerability management solutions to corporatecustomers with verified and reliable vulnerability intelligencerelevant to their specific system configuration:http://secunia.com/advisories/business_solutions/Secunia also provides a publicly accessible and comprehensive advisorydatabase as a service to the security community and private individuals, who are interested in or concerned about IT-security.http://secunia.com/advisories/Secunia believes that it is important to support the community and todo active vulnerability research in order to aid improving the security and reliability of software in general:http://secunia.com/secunia_research/Secunia regularly hires new skilled team members. Check the URL belowto see currently vacant positions:http://secunia.com/corporate/jobs/Secunia offers a FREE mailing list called Secunia Security Advisories:http://secunia.com/advisories/mailing_lists/====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website:http://secunia.com/secunia_research/2008-57/Complete list of vulnerability reports published by Secunia Research:http://secunia.com/secunia_research/======================================================================
Current thread:
- Secunia Research: DivX Web Player Stream Format Chunk Buffer OverflowSecunia Research (Apr 15)