Corsair iCUE LS100 Monitor Back Lighting Kit Review
Fractal Design ION+ Platinum 660 and 860W PSU review
Silverstone Permafrost PF240 liquid cooler review
Intel Core i9 9900KS processor review
AMD Ryzen 9 3950X review
Promo: Windows 10 Pro for $13 With Office 2016 For $33
ASUS PRIME X570 Pro review
ASUS ROG STRIX Scope keyboard review
GALAX GeForce RTX 2070 Super WTF review
ADATA Spectrix S40G 512GB NVMe M.2 SSD review
Critical Vulnerabilities in VLC Media Player Spotted and Patched
VideoLAN has addressed a critical double-free vulnerability in the VLC media player that could allow an attacker to execute arbitrary code on target systems. This security loophole can be used to plant malware in the computer where the media player is being used.
The security flaws on versions 3.0.6 and earlier of the software can enable hackers to load types of video files that can execute arbitrary code. Tracked as CVE-2019-12874, the security flaw features a CVSS v3 score of 9.8. The bug resides in the zlib_decompress_extra function of the VLC media player and could be triggered during the parsing of a malformed MKV file type within the Matroska demuxer.
Discovered by Symeon Paraschoudis from Pen Test Partners, the issue allows a remote attacker to create a specially crafted file to trigger a double free in zlib_decompress_extra() (demux/mkv/utils.cpp). The vulnerability has been addressed with the release of VLC 3.0.7, which also fixes a high-severity heap buffer overflow, along with various other vulnerabilities. Tracked as CVE-2019-5439 and residing in the ReadFrame (demux/avi/avi.c) function, the buffer overflow could be exploited through a specially crafted .avi file. The bug was reported through HackerOne, as part of a bug bounty program run by the European Union. The issue is that the ReadFrame function uses a variable obtained directly from the file. Because no strict check is performed before the memory operation (memmove, memcpy), a buffer overflow could be triggered.
“If successful, a malicious third party could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user,” VideoLAN explains in an advisory detailing both security bugs.
To successfully exploit the vulnerabilities, an attacker would have to trick the user into explicitly opening a specially crafted file or stream. While ASLR and DEP help reduce exposure, they may be bypassed, the advisory reads.
“The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied,” VideoLAN recommends.
More than HP printer models vulnerable to two very critical vulnerabilities - 08/07/2018 07:31 AM
Over a hundred HP inkjet printers are vulnerable to remote code execution vulnerabilities that are classified by HP as critical. By exploiting the vulnerabilities, an attacker could remotely execut...
Eight new Spectre Variant Vulnerabilities for Intel Discovered - four of them critical - 05/03/2018 09:55 AM
News has just started spreading that researchers have sighted another eight Spectre like vulnerabilities in Intel processors, all resemble Spectre, four of them are critical. The new vulnerabilities ...
Adobe Warns About Critical Flash Zero-Day Bug - 04/13/2011 09:30 AM
A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Pla...
Hacker finds critical exploit in Apple Keyboard - 08/03/2009 08:02 AM
A dangerous exploit for the Apple Keyboard was presented at DEFCON 2009, a security researcher nicknamed K. Chen demonstrated he had found a way to infect the firmware of the Apple Keyboard. The attac...
Critical JavaScript Vulnerability in Firefox 3.5 - 07/16/2009 05:47 AM
Mozilla has posted a security warning for Firefox 3.5. The company says that the bug was discovered in the JIT JavaScript compiler and disclosed publicly yesterday. The vulnerability can be mitigated...
SniperX
Member
Posts: 81
Joined: 2018-05-04
Member
Posts: 81
Joined: 2018-05-04
#5684867 Posted on: 06/27/2019 08:49 AM
Changes between 3.0.7 and 3.0.7.1:
----------------------------------
Access:
* Update libbluray to 1.1.2
macOS:
* Fix bluray java menu playback regression in 3.0.7
Video Output:
* Fix hardware acceleration with some AMD drivers
* Improve direct3d11 HDR support
Changes between 3.0.6 and 3.0.7:
--------------------------------
Access:
* Improve Blu-ray support
* Fix sftp module build with libssh >= 1.8.1
Audio output:
* Fix pass-through on Android-23
* Fix DirectSound drain
Demux:
* Improve MP4 support
Video Output:
* Fix 12 bits sources playback with Direct3D11
* Fix crash on iOS
* Fix midstream aspect-ratio changes when Windows hardware decoding is on
* Fix HLG display with Direct3D11
Stream Output:
* Improve Chromecast support with new ChromeCast apps
macOS:
* Fix UPNP service discovery, services are discovered on the highest priority
active network interface now
* Fix video distortion on macOS Mojave
Misc:
* Update Youtube, Dailymotion, Vimeo, Soundcloud scripts
* Work around busy looping when playing an invalid item with loop enabled
Translations:
* Update of most translations
Security:
* Fix multiple buffer overflows in the ps demuxer
* Fix a buffer overflow when copying a biplanar YUV image
* Fix multiple buffer overflows in the faad decoder
* Fix buffer overflow in the svcdsub decoder
* Fix buffer overflows in the ogg muxer & demuxer
* Fix buffer overflows in libavformat demuxer
* Fix multiple buffer overflows in the MKV demuxer
* Fix a buffer overflow in the MP4 demuxer
* Fix a buffer overflow in the textst decoder
* Fix a buffer overflow in the webvtt decoder
* Fix a buffer overflow in the ASF demux
* Fix a buffer overflow in the UPNP SD
* Fix use after free in the ogg demuxer
* Fix multiple use after free in the MKV demuxer
* Fix multiple use after free in the DMO decoder
* Fix integer underflow in the MKV demuxer
* Fix an updater NULL pointer dereference on invalid signing keys
* Fix NULL pointer dereference in the MKV demuxer
* Fix an integer overflow in the spudec decoder
* Fix an integer overflow in the nsc demuxer
* Fix an integer overflow in the avi demuxer
* Fix reads of uninitialized pointers in the MKV demuxer
* Fix a floating point exception in the MKV demuxer
* Fix an infinite loop in the flac packetizer
Changes between 3.0.7 and 3.0.7.1:
----------------------------------
Access:
* Update libbluray to 1.1.2
macOS:
* Fix bluray java menu playback regression in 3.0.7
Video Output:
* Fix hardware acceleration with some AMD drivers
* Improve direct3d11 HDR support
Changes between 3.0.6 and 3.0.7:
--------------------------------
Access:
* Improve Blu-ray support
* Fix sftp module build with libssh >= 1.8.1
Audio output:
* Fix pass-through on Android-23
* Fix DirectSound drain
Demux:
* Improve MP4 support
Video Output:
* Fix 12 bits sources playback with Direct3D11
* Fix crash on iOS
* Fix midstream aspect-ratio changes when Windows hardware decoding is on
* Fix HLG display with Direct3D11
Stream Output:
* Improve Chromecast support with new ChromeCast apps
macOS:
* Fix UPNP service discovery, services are discovered on the highest priority
active network interface now
* Fix video distortion on macOS Mojave
Misc:
* Update Youtube, Dailymotion, Vimeo, Soundcloud scripts
* Work around busy looping when playing an invalid item with loop enabled
Translations:
* Update of most translations
Security:
* Fix multiple buffer overflows in the ps demuxer
* Fix a buffer overflow when copying a biplanar YUV image
* Fix multiple buffer overflows in the faad decoder
* Fix buffer overflow in the svcdsub decoder
* Fix buffer overflows in the ogg muxer & demuxer
* Fix buffer overflows in libavformat demuxer
* Fix multiple buffer overflows in the MKV demuxer
* Fix a buffer overflow in the MP4 demuxer
* Fix a buffer overflow in the textst decoder
* Fix a buffer overflow in the webvtt decoder
* Fix a buffer overflow in the ASF demux
* Fix a buffer overflow in the UPNP SD
* Fix use after free in the ogg demuxer
* Fix multiple use after free in the MKV demuxer
* Fix multiple use after free in the DMO decoder
* Fix integer underflow in the MKV demuxer
* Fix an updater NULL pointer dereference on invalid signing keys
* Fix NULL pointer dereference in the MKV demuxer
* Fix an integer overflow in the spudec decoder
* Fix an integer overflow in the nsc demuxer
* Fix an integer overflow in the avi demuxer
* Fix reads of uninitialized pointers in the MKV demuxer
* Fix a floating point exception in the MKV demuxer
* Fix an infinite loop in the flac packetizer
Jagman
Senior Member
Posts: 2220
Joined: 2005-03-26
Senior Member
Posts: 2220
Joined: 2005-03-26
#5684912 Posted on: 06/27/2019 11:57 AM
Updated and +1 for VLC being awesome
Updated and +1 for VLC being awesome
Rich_Guy
Senior Member
Posts: 12292
Joined: 2003-05-11
Senior Member
Posts: 12292
Joined: 2003-05-11
#5684915 Posted on: 06/27/2019 12:03 PM
Just updated, thanks Hilbert
Just updated, thanks Hilbert
rl66
Senior Member
Posts: 2177
Joined: 2007-05-31
Senior Member
Posts: 2177
Joined: 2007-05-31
#5684960 Posted on: 06/27/2019 02:02 PM
patched before reading... I like reactive company.
patched before reading... I like reactive company.
Thunk_It
Senior Member
Posts: 162
Joined: 2010-07-20
Senior Member
Posts: 162
Joined: 2010-07-20
#5685384 Posted on: 06/29/2019 12:00 AM
Many thanks Hilbert for posting this article. As a result I definitely updated my VLC player!
Many thanks Hilbert for posting this article. As a result I definitely updated my VLC player!
azraei97
Junior Member
Posts: 6
Joined: 2018-10-31
Junior Member
Posts: 6
Joined: 2018-10-31
#5685489 Posted on: 06/29/2019 12:19 PM
Well, I'm not really care. VLC simply not good enough to play what I want properly long ago. Not sure now. I try to use VLC for android recently, it has same problem with some media same like the desktop version but I like a bit for android version because compare to other android m player, VLC no ads with it Free To Use. Now I use SMPlayer (MPV), K-Lite (MPC) for my PC meanwhile my phone/android base hardware use MX Player (MPV).
Well, I'm not really care. VLC simply not good enough to play what I want properly long ago. Not sure now. I try to use VLC for android recently, it has same problem with some media same like the desktop version but I like a bit for android version because compare to other android m player, VLC no ads with it Free To Use. Now I use SMPlayer (MPV), K-Lite (MPC) for my PC meanwhile my phone/android base hardware use MX Player (MPV).
rl66
Senior Member
Posts: 2177
Joined: 2007-05-31
Senior Member
Posts: 2177
Joined: 2007-05-31
#5686927 Posted on: 07/03/2019 10:43 PM
MX Player is the best on Android device and read nearly everything ...
On PC VLC still rock because with some few search on the net it can play BR and BR iso and also record streaming (but shhh it's both not allowed) but it is still crappy with real DVD reading.
Well, I'm not really care. VLC simply not good enough to play what I want properly long ago. Not sure now. I try to use VLC for android recently, it has same problem with some media same like the desktop version but I like a bit for android version because compare to other android m player, VLC no ads with it Free To Use. Now I use SMPlayer (MPV), K-Lite (MPC) for my PC meanwhile my phone/android base hardware use MX Player (MPV).
MX Player is the best on Android device and read nearly everything ...
On PC VLC still rock because with some few search on the net it can play BR and BR iso and also record streaming (but shhh it's both not allowed) but it is still crappy with real DVD reading.
The Goose
Senior Member
Posts: 2267
Joined: 2008-02-25
Senior Member
Posts: 2267
Joined: 2008-02-25
#5686939 Posted on: 07/03/2019 11:09 PM
Not used Vlc since i switched to MPC-HC x64 several years ago.....it has an auto shut down function which is handy for me as i have Tinnitus and have a film running in the background when im trying to get to sleep, i find windows sleep function does not always work unlike mpc which will shutdown my pc when the film is finished....8 times out of 10 ive fallen to sleep within the first 10 minutes, some times it takes 2 films.
Not used Vlc since i switched to MPC-HC x64 several years ago.....it has an auto shut down function which is handy for me as i have Tinnitus and have a film running in the background when im trying to get to sleep, i find windows sleep function does not always work unlike mpc which will shutdown my pc when the film is finished....8 times out of 10 ive fallen to sleep within the first 10 minutes, some times it takes 2 films.
sverek
Senior Member
Posts: 5379
Joined: 2011-01-02
Senior Member
Posts: 5379
Joined: 2011-01-02
#5686967 Posted on: 07/04/2019 02:48 AM
MX Player is the best on Android device and read nearly everything ...
On PC VLC still rock because with some few search on the net it can play BR and BR iso and also record streaming (but shhh it's both not allowed) but it is still crappy with real DVD reading.
Shame that free MX Player is plague with ads. Basically a profit making tool.
MX Player is the best on Android device and read nearly everything ...
On PC VLC still rock because with some few search on the net it can play BR and BR iso and also record streaming (but shhh it's both not allowed) but it is still crappy with real DVD reading.
Shame that free MX Player is plague with ads. Basically a profit making tool.
Click here to post a comment for this news story on the message forum.
Posts: 5379
Joined: 2011-01-02
Shout out to VLC for being free and awesome.