23:57 Tue, 02 Jan 2007 PST -0800

Month of Apple Bugs - Day 2

Today's bug from the Month of Apple Bugs is a format string vulnerability in the VLC media player.

The wonderfully responsive and dapper VLC team already has a fix committed, and I'm sure a new release will be forthcoming.

In the meantime, more for completeness than necessity, I've added a fix to the MOAB Ape. The fix is keyed to (and only supports) the latest VLC release (0.8.6) -- the patch will automatically de-activate itself when you update VLC, which you should most certainly eventually do. The patch works by guarding the *_log_handler() callbacks, checking for format string characters before passing the string on.

You can download the source, or a pre-built binary. You'll need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.

If you'd like to help with tomorrow's MOAB vulnerability please feel free to send me patches or other information. If there's enough interest, I'll fire up a mailing list.

[/code/macosx] permanent link