VideoLAN, the organization behind one of the most popular media players VLC Media Player, released VLC Media Player 3.0.8 today.
VLC Media Player 3.0.8 is a security update that patches a total of 13 different security issues in the client. The update is not related to a recently disclosed vulnerability that a too eager researcher attributed to VLC Media Player. It turned out that VLC was not vulnerable but that the researcher ran an older version of Ubuntu.
The update is not picked up yet by the player’s automatic update function nor is it listed on the official VideoLAN website. It is available on the official Download VideoLAN download site for all supported operating systems, however.
You may download the new release and install it over the old. Whether you will do that right away or wait for the official release notification by VideoLAN is up to you. Cautious users may want to wait for the official announcement to download the new version either from the VideoLAN website or by using the application’s integrated updater.
The new version of VLC patches the following issues in previous versions of the client application.
- Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
- Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
- Fix a read buffer overflow in the FAAD decoder
- Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
- Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
- Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
- Fix a use after free in the ASF demuxer (CVE-2019-14533)
- Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
- Fix a null dereference in the dvdnav demuxer
- Fix a null dereference in the ASF demuxer (CVE-2019-14534)
- Fix a null dereference in the AVI demuxer
- Fix a division by zero in the CAF demuxer (CVE-2019-14498)
- Fix a division by zero in the ASF demuxer (CVE-2019-14535)
You may look up the vulnerabilities with CVE IDs, e.g. on https://cve.mitre.org/. Note that the issues are not available to the public at the time of writing.
VLC Media Player 3.0.8 is a security update first and foremost. The update makes other a handful of other non-security related changes as well:
- Core: Fix stuttering for low framerate videos
- Demux: Fix glitches in TS over HLS
- Demux: Add real probing of HLS streams
- Demux: Fix HLS MIME type fallback
- Misc: Update Youtube script
- Audio Output: Fix stuttering or blank audio when starting or seeking when using
external audio devices (bluetooth for example)
- Audio Output: Fix AV synchronization when using external audio devices on Mac OS.
- Stream Output: Fix transcoding when the decoder does not set the chroma
Work on VLC Media Player 4.0 continues meanwhile as well.
Now You: When you do install security updates for your applications? (via Deskmodder)