SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1944
An attacker could remotely take full control over a computer system while playing untrusted videos with any version of VLC media player software prior to 3.0.7.
The hack is possible due to two high-risk security flaws (CVE-2019-5439, CVE-2019-12874) that could potentially lead to arbitrary code execution attacks. The company Videolan also addressed many other medium and low-severity security vulnerabilities in its software.
"A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively" reads the security advisory published by the company. "If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user."
Source: https://securityaffairs.co/wordpress/87433/breaking-news/vlc-player-flaws.html
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @12:22PM (1 child)
Forget Ubuntu. Switch to Fedora. VLC 3.0.7.1 here. Directly from rpmfusion repos.
(Score: 2) by JoeMerchant on Thursday June 27 2019, @02:47AM
I think that's a difference between apt/deb and yum/rpm, mostly.
I tried living with CentOS for over a year, about a year ago... didn't enjoy it much - not impossible, just more trouble overall than in Ubuntu.
🌻🌻 [google.com]