VLC video player has gaping security hole and there's no fix available

The Germans have discovered that the latest stable 3.0.7.1 version of the VideoLAN media player has a head-based buffer over-read in the demux code for mkv containers. Simply opening a carefully crafted video file using the mkv container is enough to have evil code executed on the system. The vulnerability affects both GNU/Linux and Windows machines.

Concretely, the function mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp will read more data into memory than it should when it is called from mkv::Open in modules/demux/mkv/mkv.cpp. VLC will detect the demuxer even if the file extension is wrong so a specially crafted mkv file could be named exploit.mp4.

The latest version of VLC has a gaping security hole

German CERT-Bund describes the risk as "hoch". The vulnerability is assigned CVE number 2019-13615.

There is zero information about this vulnerability on VLC's homepage at www.videolan.org but there is a open ticket numbered #22474. There is no information as to when a fix will be available.

The only work-around at this time appears to be to not use VLC. There is, of course, the option of using mpv.

While the Germans are in theory right when they claim the risk is "hoch" it's in practice near-zero. Someone could go through the trouble of creating a specially crafted .mkv file just for you and attempt to social engineer you into opening it if you are a high value target. The odds of randomly encountering such a specially crafted file which works on your machine is low. Then there is the issue of compatibility. Both GNU/Linux and Windows versions of VLC are vulnerable but Windows exploit code will not work on GNU/Linux and vice versa.

You may want to use mpv instead of VLC for the time being if you consider yourself a high-value target. If the excitement of opening potentially dangerous video files in VLC until a fixed version is released is worth the risk or not is a very personal choice.