VLC Media Player 3.0.8 is a security update

[Karlston]

VLC Media Player 3.0.8 is a security update

VideoLAN, the organization behind one of the most popular media players VLC Media Player, released VLC Media Player 3.0.8 today.

 

VLC Media Player 3.0.8 is a security update that patches a total of 13 different security issues in the client.  The update is not related to a recently disclosed vulnerability that a too eager researcher attributed to VLC Media Player. It turned out that VLC was not vulnerable but that the researcher ran an older version of Ubuntu.

 

The update is not picked up yet by the player's automatic update function nor is it listed on the official VideoLAN website. It is available on the official Download VideoLAN download site for all supported operating systems, however.

 

 

You may download the new release and install it over the old. Whether you will do that right away or wait for the official release notification by VideoLAN is up to you. Cautious users may want to wait for the official announcement to download the new version either from the VideoLAN website or by using the application's integrated updater.

 

The new version of VLC patches the following issues in previous versions of the client application.

• Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
• Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
• Fix a read buffer overflow in the FAAD decoder
• Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
• Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
• Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
• Fix a use after free in the ASF demuxer (CVE-2019-14533)
• Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
• Fix a null dereference in the dvdnav demuxer
• Fix a null dereference in the ASF demuxer (CVE-2019-14534)
• Fix a null dereference in the AVI demuxer
• Fix a division by zero in the CAF demuxer (CVE-2019-14498)
• Fix a division by zero in the ASF demuxer (CVE-2019-14535)

You may look up the vulnerabilities with CVE IDs, e.g. on https://cve.mitre.org/. Note that the issues are not available to the public at the time of writing.

 

VLC Media Player 3.0.8 is a security update first and foremost. The update makes other a handful of other non-security related changes as well:

• Core: Fix stuttering for low framerate videos
• Demux: Fix glitches in TS over HLS
• Demux: Add real probing of HLS streams
• Demux: Fix HLS MIME type fallback
• Misc: Update Youtube script
• Audio Output: Fix stuttering or blank audio when starting or seeking when using
  external audio devices (bluetooth for example)
• Audio Output: Fix AV synchronization when using external audio devices on Mac OS.
• Stream Output: Fix transcoding when the decoder does not set the chroma

Work on VLC Media Player 4.0 continues meanwhile as well.

 

 

 

Source: VLC Media Player 3.0.8 is a security update (gHacks - Martin Brinkmann)

[steven36]

6 hours ago, Karlston said:

It turned out that VLC was not vulnerable but that the researcher ran an older version of Ubuntu.

That's not really true it was the latest LTS release it's not that old it a whole lot newer than Windows 8.1. is.    It came out when Windows 10 Redstome 4 did  it didn't matter what version you used LTS on Ubuntu because it was not baked into VLC .It was only fixed upstream in the non-LTS releases. they fixed it now in both active LTS releases. Linux and Windows VLC  is not the same libebml  is baked into VLC on windows  while on Linux it's not .VLC is a big mess on Linux , it needs codecs  and libraries to be installed to make it work ,if you don't use snap or flatpac  witch puts it all in a big container . MPV  is much better player on Linux  that don't need all that mess.

 

Were are all VLC fanyboys at now they were tearing it up when it was a false alarm on Windows ? Every update fixes  many vulnerabilities . It's bug prone software that's why Linux  should stop shipping it as a default player and make it install at your own risk . Some Ubuntu flavors   have replaced VLC with Gnome MPV   now called Celluloid instead. Celluloid is OK  but the best front end for MPV  is SMPlayer.

 

 

VLC  is a shit show when the DEV and fanboys were fussing about that bug found in Debian  and Ubuntu they was already notified about some of those bugs in VLC in the OP.

 

Disclosure timeline

• July 22, 2019 - Antonio finds the first vulnerabilities, including an OOB write/read which affects OGG files and reports these bugs to the VideoLAN team.
• July 26 2019 - VLC team were able to reproduce these bugs, marking the beginning of our mutual collaboration.
• August 05, 2019 - 5 new vulnerabilities related to WMV/ASF container were reported.
• August 08, 2019 - All the WMV/ASF vulnerabilities were reproduced and fixed by VLC team.
• August 09, 2019 - New vulnerabilities affecting MKV file format are reported.
• August 8, 2019 - The VideoLAN team informs the Semmle Security Team that they will tag a new release of VLC with fixes for these bugs, and will issue a security advisory.
• August 14, 2019 - The VideoLAN team tags the new release of VLC.
• August 19, 2019 - VLC 3.0.8 is released.
• August 19, 2019 - The VideoLAN team publishes the security advisory.

 

https://blog.semmle.com/vlc-vulnerability-heap-overflow/

[leapinlizards]

It is the only player i know that works with chromecast. ..

.. ie ..  pc .. movie to tv.

 

I have no complaints.

 

any recommendations would be appreciated.

 

cheers

[steven36]

51 minutes ago, leapinlizards said:

It is the only player i know that works with chromecast. ..

.. ie ..  pc .. movie to tv.

 

I have no complaints.

 

any recommendations would be appreciated.

 

cheers

SMplayer  has had chormecast support  since 2017

https://blog.smplayer.info/category/chromecast/

[leapinlizards]

I will take a look at SMplayer,

never tried before.

cheers