The new version of VLC 3.0.8 arrives with a solution for different security problems

Some days ago a new version was presented corrective of the popular media player VLC 3.0.8, in which accumulated bugs fixed and 13 vulnerabilities fixed.

Of which three problems (CVE-2019-14970, CVE-2019-14777, CVE-2019-14533) could lead to the execution of an attacker code when trying to play multimedia files specially designed in MKV and ASF formats (buffer overflow for recording and two problems accessing memory after freeing it).

On the other hand four vulnerabilities in format drivers OGG, AV1, FAAD, ASF they are caused by the ability to read data from memory areas outside of the allocated buffer.

Three problems lead to dereferencing the NULL pointer in dvdnav, ASF and AVI format unpacks. A vulnerability allows integer overflow in the MP4 unpacker.

About fixed vulnerabilities

VLC developers noted that the problem in the OGG format unpacker (CVE-2019-14438) was reading from an area outside the buffer (read buffer overflow), but security researchers that discovered the vulnerability claim that it is possible to cause write overflows and organize code execution when processing OGG, OGM and OPUS files with a specially crafted header block.

There is also a vulnerability (CVE-2019-14533) in the ASF format unpacker, which allows you to write data to an already freed memory area and achieve code execution by scanning forward or backward on the timeline while playing WMV and WMA files.

Also, issues CVE-2019-13602 (integer overflow) and CVE-2019-13962 (reading from an area outside of the buffer) were assigned a critical danger level (8.8 and 9.8), but VLC developers did not they agree and consider that these vulnerabilities are not dangerous (suggest changing the level to 4.3).

Non-security fixes include removing stuttering when watching videos with a low frame rate, improve support for adaptive streaming (improved buffering code).

They also help solve problems with WebVTT subtitle rendering, improve audio output on macOS and iOS platforms.

The script to download from YouTube was also updated, solving problems with the use of Direct3D11 to use hardware acceleration in systems with some AMD drivers.

How to install VLC Media Player 3.0.8 on Linux?

For those who are Debian, Ubuntu, Linux Mint and derivative users, just type the following in the terminal:

sudo apt-get update sudo apt-get install vlc browser-plugin-vlc

While for Those who are users of Arch Linux, Manjaro, Arco Linux or any distribution derived from Arch Linux, we must type:

sudo pacman -S vlc

If you are a user of the KaOS Linux distribution, the installation command is the same as for Arch Linux.

Now for those who are users of any version of openSUSE, they only have to type in the terminal the following to install:

sudo zypper install vlc

For those who are Fedora users and any derivative of it, they must type the following:

sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E% fedora) .noarch.rpm sudo dnf install vlc

For The rest of the Linux distributions, we can install this software with the help of the Flatpak or Snap packages. We only have to have the support to install applications of these technologies.

Si want to install with the help of Snap, we just have to type the following command in the terminal:

sudo snap install vlc

To install the candidate version of the program, do it with:

sudo snap install vlc --candidate

Finally, if you want to install the beta version of the program you must type:

sudo snap install vlc --beta

If you installed the application from Snap and want to update to the new version, you just have to type:

sudo snap refresh vlc

Finally for qThose who want to install from Flatpak, do it with the following command:

flatpak install --user https://flathub.org/repo/appstream/org.videolan.VLC.flatpakref

And if they had already installed and want to update they must type:

flatpak --user update org.videolan.VLC

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.