VLC plugs various security holes

The VideoLAN project has fixed various security vulnerabilities when processing different media formats with versions 3.0.22 and 3.0.23 of the VLC Player. Those who use the software for streaming and media playback should update to the latest version.

In a security advisory, the VideoLAN project discusses the security vulnerabilities that VLC 3.0.22 already addresses. The vulnerabilities can cause VLC to crash, but the developers do not rule out that they could be exploited to execute malicious code or disclose user information. At least they have no indication that the vulnerabilities are already being exploited.

The vulnerabilities affect the processing of the formats and processing modules MMS, OggSpots, CEA-708 subtitles, ty, CVD subtitles, Ogg demuxer, WebVTT, NSV demuxer, SRT subtitles, ASF, MP4 demuxer, SPU decoder, SVCD subtitle decoder, tx3g subtitle decoder, and finally the audio output buffer on the stack. In the news, the programmers list further vulnerabilities in the changes between VLC 3.0.22 and 3.0.21 under “Security” and note that this list is also not exhaustive.

Even newer version with only a few fixes

According to the release notes, the newer version, VLC 3.0.23, is just a small follow-up fix release. However, it also corrects some further security vulnerabilities, as can be read in the VLC news. The developers list somewhat staccato that they have fixed a “Null Deref” in libass, which presumably means a null pointer dereference. In the modules for processing Theora and CC-708, there were apparently undefined shifts, while in Daala there was an integer overflow. The h264 parser could enter an infinite loop. In addition, they corrected a buffer overflow in PNG and several “format overflows” in it.

The software is available for download pre-compiled for various platforms on the VLC download page. The software has since been downloaded 6 billion times; the developers also plan to add local AI functions.

(dmk)