VideoLAN has issued an update to address a baker's dozen of CVE-listed security vulnerabilities in its widely used VLC player software.
The VLC update includes patches to clear up flaws that range in impact from denial of service (read: application crashes) to remote code execution (i.e. malware installation). Users and admins can get fixes for all of the vulnerabilities by updating VLC to version 3.0.8 or later.
So far, no attacks exploiting these holes have been reported in the wild.
"While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user information or remotely execute code," VideoLAN offered in announcing the update. "ASLR and DEP help reduce the likeliness of code execution, but may be bypassed."
Each of the 13 flaws would be exploited by opening a booby-trapped media file, such as vids in WMV, MP4, AVI, and OGG formats. In other cases, the flaws could be exploited via browser plugins by visiting a malicious webpage.
Get updated version 3.0.8 from the VLC Download Page.
(Score: 2) by edIII on Thursday August 22 2019, @06:01AM (2 children)
They haven't pushed 3.0.8 yet. Both APT and Snap aren't yet updated, and attempting to download the link and using xdg-open says it's 3.0.7 still.
Only way I can see to update on Ubuntu is to change the Snap channel for VLC to "beta".
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @10:26AM
3.0.8 is available from Debian.
(Score: 0) by Anonymous Coward on Thursday August 22 2019, @03:51PM
A couple of modifications to the vlc.Slackbuild from alien, a download of the sources..run the script, go away for while, voila, one Slackware laptop running 3.0.8 (a priority, as it's the laptop that normally gets used to play random.video.files.from.torrents).
I'll copy the package over to the local server here and the desktop machines will update their copies from there, that is, unless the alien version gets updated first.