VLC 3.0.7 released with a long list of Security Issues Fixed

From LinuxReviews
Jump to navigationJump to search
Vlc.jpg

It appears there were buffer overflow issues in just about every module in the VLC media player ranging from decoders to demuxers. These bugs were largely found thank to the European Commission's bug bounty program. There is not much else of interest to Linux users, the vast majority of improvements in this release are specific to the Android, macOS and Windows versions.

VLC 3.0.7 was released June 7th, 2019 so we are a little late with this story. It is probably because we're all using mpv.

The people at the European Commission are apparently using VLC and it's importance to them is such that they made it a part of the EU's Free and Open Source Software Auditing (EU-FOSSA) project in January 2019. The fruits of this effort resulted in this very long list of mostly buffer overflow fixes in version 3.0.7:

  • Fix multiple buffer overflows in the ps demuxer
  • Fix a buffer overflow when copying a biplanar YUV image
  • Fix multiple buffer overflows in the faad decoder
  • Fix buffer overflow in the svcdsub decoder
  • Fix buffer overflows in the ogg muxer & demuxer
  • Fix buffer overflows in libavformat demuxer
  • Fix multiple buffer overflows in the MKV demuxer
  • Fix a buffer overflow in the MP4 demuxer
  • Fix a buffer overflow in the textst decoder
  • Fix a buffer overflow in the webvtt decoder
  • Fix a buffer overflow in the ASF demux
  • Fix a buffer overflow in the UPNP SD
  • Fix use after free in the ogg demuxer
  • Fix multiple use after free in the MKV demuxer
  • Fix multiple use after free in the DMO decoder
  • Fix integer underflow in the MKV demuxer
  • Fix an updater NULL pointer dereference on invalid signing keys
  • Fix NULL pointer dereference in the MKV demuxer
  • Fix an integer overflow in the spudec decoder
  • Fix an integer overflow in the nsc demuxer
  • Fix an integer overflow in the avi demuxer
  • Fix reads of uninitialized pointers in the MKV demuxer
  • Fix a floating point exception in the MKV demuxer
  • Fix an infinite loop in the flac packetizer

The European Commission's interest in VLC's security may or may not be related to the revelations that the US Cocaine Import Agency have been using "special" versions of VLC to spy on people.

There's other improvements to VLC in this version but those are mostly specific to Windows, macOS and Android. Improved Chromecast support and updated scripts for Youtube, Dailymotion, Vimeo, Soundcloud appear to be the only improvements in the Linux version apart from all the security-related fixes.