Users of VideoLAN's VLC cross-platform media player are strongly advised to upgrade to the just-released version 0.8.6c, which fixes "a security vulnerability in the CDDA, Vorbis, Theora and SAP plugins."
In a security advisory about this issue -- originally reported by David Thiel of iSEC Partners -- VideoLAN explained that "Ogg/Vorbis, Ogg/Theora, CDDA (CD Digital Audio) and SAP (Service Announce Protocol) plugins are prone to a C-style format string vulnerability when trying to parse a media data stream."
This is considered a "high severity" issue because "(v)alid but carefully crafted .ogg (Vorbis) or .ogm (Theora) files, CDDB entries or SAP/SDP messages can trigger the bug," which could facilitate an attack to gain local user privileges and/or crash the player.
In addition to the security bug fix, release 0.8.6c offers a number of other fixes and enhancements as well, including Windows Vista compatibility, cropping in Direct3D, a fullscreen change crash on Mac OS X, RSS filter string overflow, memory leaks, and an MKV demuxer crash related to seeking.
VLC is a popular, highly portable media player that supports a wide range of formats without the need for additional codecs. It can also be used as a streaming server for unicast or multicast on high-bandwidth networks. Precompiled binaries are available for Mac OS X and Windows; the security alert advises Linux and BSD users to obtain the relevant upgrades from their distribution/OS vendors.