VLC media player gets biggest security update ever

Earlier this month, VideoLAN the maintainers of the world’s most popular open source media player, issued the single set of fixes in the program’s history.

Numbering 33 in all, this included two marked critical, 21 mediums and 10 rated low, bringing VLC to 3.0.7.

But perhaps the most interesting part of the story is less the flaws themselves but the process through which they were found.

The most serious flaws

The first of the criticals, CVE-2019-12874, discovered and documented in detail by Symeon Paraschoudis of Pen Test Partners, is an out-of-bounds write flaw in the FAAD2 MPEG-4 and MPEG-2 AAC decoder library used by VLC 3.0.6 and earlier.

The second is CVE-2019-5439, a stack buffer overflow in version 4.0.0 beta’s Reliable Internet Stream Transport (RIST), potentially allowing remote execution (RCE) at the user’s privilege level, if a the user can be persuaded to run a malicious AVI or MKV video file.

The mediums, meanwhile, are described by VideoLAN’s Jean-Baptiste Kempf as “mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues,” which could crash VLC.

You might also like More from author

Comments are closed.