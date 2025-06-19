from the no-more-playing-around dept.
An attacker could remotely take full control over a computer system while playing untrusted videos with any version of VLC media player software prior to 3.0.7.
The hack is possible due to two high-risk security flaws (CVE-2019-5439, CVE-2019-12874) that could potentially lead to arbitrary code execution attacks. The company Videolan also addressed many other medium and low-severity security vulnerabilities in its software.
"A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively" reads the security advisory published by the company. "If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user."
Source: https://securityaffairs.co/wordpress/87433/breaking-news/vlc-player-flaws.html
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday June 25, @11:16PM
It is a flaw and needs to be addressed. But to be sure there has to be an actor who's created exploit code and embedded it as part of the video. It is not that someone simply playing an untainted untrusted video who could have their system exploited. (Yeah, it reads that way when you read the full summary. But the first sentence and summary could be, "...computer system while playing exploited untrusted videos...")
I look forward to a patch. :)
(Score: 2) by MostCynical on Tuesday June 25, @11:31PM (1 child)
Don't run as admin.
Sudo is your friend.
(Score: 2) by RamiK on Wednesday June 26, @12:21AM
(Score: 0) by Anonymous Coward on Wednesday June 26, @12:03AM
What kind of newspeak is that? Do we have Untrusted Textfiles or even some Untrusted ASCII character too?