VLC 3.0.13 gets to fix some vulnerabilities

Few days ago the release of a corrective version of the VLC 3.0.13 media player was presented (Despite the announcement on the VideoLan website of version 3.0.13, version 3.0.14 was in fact released, including search fixes). In the release, accumulated bugs are mainly fixed and vulnerabilities removed.

Among the improvements observed are the addition of NFSv4 support, improved integration with SMB2 protocol-based storages, improved rendering smoothness via Direct3D11, added horizontal axis settings for the mouse wheel, and implementation of the ability to scale the SSA caption text.

Bug fixes mention how to fix the problem with the appearance of artifacts when playing HLS streams and fix problems with the audio in MP4 format. The new version addresses a vulnerability that could lead to code execution when a user interacts with specially crafted playlists.

The problem is similar to the recently announced vulnerability in OpenOffice and LibreOffice related to the ability to embed links, including executable files that open after a user clicks without displaying dialog boxes that require confirmation of the operation. As an example, it is shown how you can organize the execution of your code by placing links in the playlist in the format "file: /// run / user / 1000 / gvfs / sftp: host = , user = », When opened, it is given jar -file loaded using the WebDav protocol.

VLC 3.0.13 it also fixes several other vulnerabilities caused by bugs that lead to writing data to the out-of-buffer area when processing invalid media files in MP4 format. Fixed a bug in the kate decoder that caused the buffer to be used after it was freed.

In addition, an issue was fixed in the automatic update delivery system, which allows forging an update during MITM attacks.

It is also mentioned that se have addressed multiple remote code execution vulnerabilities in VLC Media Player 3.0.12 which could be used to "trigger a VLC crash or arbitrary code execution with the privileges of the target user." Fortunately, VLC versions up to and including 3.0.11 do not include the automatic update error, so they can easily be updated to a patched version using the application's built-in automatic update system.

How to install VLC Media Player on Linux?

For those who are Debian, Ubuntu, Linux Mint and derivative users, just type the following in the terminal:

sudo apt-get update sudo apt-get install vlc browser-plugin-vlc

While for Those who are users of Arch Linux, Manjaro, Arco Linux or any distribution derived from Arch Linux, we must type:

sudo pacman -S vlc

If you are a user of the KaOS Linux distribution, the installation command is the same as for Arch Linux.

Now for those who are users of any version of openSUSE, they only have to type in the terminal the following to install:

sudo zypper install vlc

For those who are Fedora users and any derivative of it, they must type the following:

sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E% fedora) .noarch.rpm sudo dnf install vlc

FOR The rest of the Linux distributions, we can install this software with the help of the Flatpak or Snap packages. We only have to have the support to install applications of these technologies.

Si want to install with the help of Snap, we just have to type the following command in the terminal:

sudo snap install vlc

To install the candidate version of the program, do it with:

sudo snap install vlc --candidate

Finally, if you want to install the beta version of the program you must type:

sudo snap install vlc --beta

If you installed the application from Snap and want to update to the new version, you just have to type:

sudo snap refresh vlc

Finally for qThose who want to install from Flatpak, do it with the following command:

flatpak install --user https://flathub.org/repo/appstream/org.videolan.VLC.flatpakref

And if they had already installed and want to update they must type:

flatpak --user update org.videolan.VLC

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.