VLC released a minor update for Vetineri, the 3.0.x release line of VLC Media Player. This has been considered an important update as it received 33 security bug fixes. Jean-Baptiste Kempf, the president of VideoLAN non-profit org, pointed out that this release has fixed the highest number of security issues so far.
The two major security issues in this release are :
- An Out-of-Bounds Write Error in the faad2 library, a dependency of VLC. This flaw affects only the 3.0.x release line.
- A Stack Buffer Overflow Error in the RIST module.
The version 4.0 of VLC is in the beta stage. Therefore, the current version of VLC is 3.0.7.
VLC also reported that there are 21 medium security issues and 10 low-security issues that were fixed in the 3.0.7 release. These include multiple buffer overflow errors, use after free errors, integer underflow and overflow errors, NULL pointer dereferences, floating point exception errors, infinite loop error, etc.
The low-security bugs are not exploitable and they have no actual impact. The medium-security bugs though are exploitable and can crash the application.
VLC attributes the increase in the number of security issues to a bug bounty program funded by the European Commission during the FOSSA program.
The latest release has also brought out improvements for Blu-ray support and HDR support on Windows, including HLG streams.
Impact:
An attacker can exploit the out-of-bounds write vulnerability leading to a denial of service or code execution in some cases.
Affected Products:
VLC Media Player before version 3.0.7
Solution:
Upgrade to version 3.0.7 of VLC Media Player.
Please refer to this KB article.