POSTED ON November 22, 2022 9:38 am
Download >>>>> DOWNLOAD
VLC Media Player 3.0.7
A Memory Corruption in the SSDP message processing in modules/sdp/sdp.c in VideoLAN VLC media player 3.0.4 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SDP stream.
The US government’s NIST this month documented a critical heap-based buffer over-read, designated CVE-2019-13615, which is said to be present and unpatched in the most recent official version of VLC, 22.214.171.124. The flaw is, we’re told, present in the Linux, Unix, and Windows builds of the player.
VLC’s developers maintain they are not at fault, their software is not vulnerable, and there’s nothing to fix: use the latest version of the media player with its latest libraries, and you should be fine. The problem lies within libebml, which has been fixed since version 1.3.6, which was released more than a year ago.
An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 126.96.36.199 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted.mp4 file.
A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively reads the security advisory published by the company. If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
VLC is the most popular open-source media player software that is currently being used by hundreds of millions of users worldwide. The software is available for all major OS, including Windows, macOS, Linux, Google Android, and Apple iOS.
per configuration, audio/video players store user data such as presets, or similar, in the system’s root folder, usually represented by the file config.dat, which is mostly a binary file (usually 8 or 16 bytes long, though some even bigger of course).
when the file is touched, but not overwritten or deleted, it is really often reopened by the application, and some kind of script is executed which may contain code which is supposed to protect against a malicious program modifying the data and changing settings without your permission.
to be safe from any danger, you will need to update vlc player to version 3.0.7 or higher as this version includes security fixes for all 33 security issues mentioned in our blog post. by running this audit you can easily identify machines in your network which are still using an outdated vlc media player installation and need patching right away! with the help of lansweeper deployment, you can even patch straight from lansweeper based on audit results.
patches can be found on vlc’s official web page . bug reports and a bountysource page are also available, but the bug tracker requires a login with google and a payment scheme to get a bounty, so i have avoided that.
if you are using a linux distribution, then you can visit its homepage and download the latest version from there. if you are running microsoft windows, then download the latest version from here . if you are running macos, then download the macos version . you can also purchase a vlc license . there have been several discussions in the vlc forum about the recent security issues with vlc and suggestions on how to work around them.