Security researchers have discovered a serious code execution vulnerability in the LIVE555 Streaming Media library—which is being used by popular media players including VLC and MPlayer, along with a number of embedded devices capable of streaming media.
LIVE555 streaming media, developed and maintained by Live Networks, is a set of C++ libraries companies and application developers use to stream multimedia over open standard protocols like RTP/RTCP, RTSP or SIP.
The LIVE555 streaming media libraries support streaming, receiving, and processing of various video formats such as MPEG, H.265, H.264, H.263+, VP8, DV, and JPEG video, and several audio codecs such as MPEG, AAC, AMR, AC-3, and Vorbis.
The vulnerable library is internally being used by many well-known media software such as VLC and MPlayer, exposing their millions of users to cyber attacks.
The code execution vulnerability, tracked as CVE-2018-4013 and discovered by researcher Lilith Wyatt of Cisco Talos Intelligence Group, resides in the HTTP packet-parsing functionality of the LIVE555 RTSP, which parses HTTP headers for tunnelling RTSP over HTTP.
images from Hacker News