Video Lan is now available for Windows, Mac, and Linux, releasing VLC Media Player 3.0.8. This release remedied 13 safety vulnerabilities and improved video reproduction.
The main improvements in this release include a bugging fix while looking at low frame rate videos, better adaptive support for streaming, fixed WebVTT subtitles, and an improved audio performance in macOS and iOS.
This release also addresses 13 vulnerabilities, including many buffer overflows, zero-by-zero dereferences, and zero vulnerabilities. Many of these, if not all, vulnerabilities have been directly found by VLC developers.
According to VideoLan’s safety newsletter, a remote user creating a specially designed file and tricking a user to open it could exploit these vulnerabilities. This would cause a crash or execute code in the user logged in safety context.
A malicious third party may successfully trigger either a VLC crash or the execution of arbitration code with the privileges of the target user.
Whilst these problems themselves are most likely to crash a player, we can not rule out the possibility to combine them to leak user information or execute code remotely. ASLR and DEP assist to decrease, but can be bypassed, the probability of code implementation.
Whereas the CVE CVE-2019-13602 & CVE-2019-13962 mention a base rating of 8.8 and 9.8, respectively, the VideoLAN team thinks that this seriousness would be extremely exaggerated; in our view a basic rating of 4.3 (AV: N / AC: L / PR: N / UI: R / S: U / C: N / I: N / A: L) would be more sensible.
Because the security vulnerabilities in this release have been fixed, it is strongly noted that all users download and install version 3.0.8. CVE-2019-13962 only impacts VLC 3.0.2 through 126.96.36.199.
You can find the complete change log for version 3.0.8 below:
Changes between 188.8.131.52 and 3.0.8: ---------------------------------- Core: * Fix stuttering for low framerate videos Demux: * Fix channel ordering in some MP4 files * Fix glitches in TS over HLS * Add real probing of HLS streams * Fix HLS MIME type fallback Decoder: * Fix WebVTT subtitles rendering Stream filter: * Improve network buffering Misc: * Update Youtube script Audio Output: * macOS/iOS: Fix stuttering or blank audio when starting or seeking when using external audio devices (bluetooth for example) * macOS: Fix AV synchronization when using external audio devices Video Output: * Direct3D11: Fix hardware acceleration for some AMD drivers Stream output: * Fix transcoding when the decoder does not set the chroma Security: * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) * Fix a read buffer overflow in the FAAD decoder * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) * Fix a use after free in the ASF demuxer (CVE-2019-14533) * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) * Fix a null dereference in the dvdnav demuxer * Fix a null dereference in the ASF demuxer (CVE-2019-14534) * Fix a null dereference in the AVI demuxer * Fix a division by zero in the CAF demuxer (CVE-2019-14498) * Fix a division by zero in the ASF demuxer (CVE-2019-14535) Contribs: * Update to a newer libmodplug version (0.8.9.0)