VLC Media Player 3.0.8 is a security update
VideoLAN, the organization behind one of the most popular media players VLC Media Player, released VLC Media Player 3.0.8 today.
VLC Media Player 3.0.8 is a security update that patches a total of 13 different security issues in the client. The update is not related to a recently disclosed vulnerability that a too eager researcher attributed to VLC Media Player. It turned out that VLC was not vulnerable but that the researcher ran an older version of Ubuntu.
The update is not picked up yet by the player's automatic update function nor is it listed on the official VideoLAN website. It is available on the official Download VideoLAN download site for all supported operating systems, however.
You may download the new release and install it over the old. Whether you will do that right away or wait for the official release notification by VideoLAN is up to you. Cautious users may want to wait for the official announcement to download the new version either from the VideoLAN website or by using the application's integrated updater.
The new version of VLC patches the following issues in previous versions of the client application.
- Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
- Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
- Fix a read buffer overflow in the FAAD decoder
- Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
- Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
- Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
- Fix a use after free in the ASF demuxer (CVE-2019-14533)
- Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
- Fix a null dereference in the dvdnav demuxer
- Fix a null dereference in the ASF demuxer (CVE-2019-14534)
- Fix a null dereference in the AVI demuxer
- Fix a division by zero in the CAF demuxer (CVE-2019-14498)
- Fix a division by zero in the ASF demuxer (CVE-2019-14535)
You may look up the vulnerabilities with CVE IDs, e.g. on https://cve.mitre.org/. Note that the issues are not available to the public at the time of writing.
VLC Media Player 3.0.8 is a security update first and foremost. The update makes other a handful of other non-security related changes as well:
- Core: Fix stuttering for low framerate videos
- Demux: Fix glitches in TS over HLS
- Demux: Add real probing of HLS streams
- Demux: Fix HLS MIME type fallback
- Misc: Update Youtube script
- Audio Output: Fix stuttering or blank audio when starting or seeking when using
external audio devices (bluetooth for example) - Audio Output: Fix AV synchronization when using external audio devices on Mac OS.
- Stream Output: Fix transcoding when the decoder does not set the chroma
Work on VLC Media Player 4.0 continues meanwhile as well.
Now You: When you do install security updates for your applications? (via Deskmodder)
Anyone know how to get back, roll back…
This update is screwed up. and does not play sound right at all.
Cant find a way to get the last working version back.
Any one know how?
How do I get 3.0.8 on Ubuntu, I tried the snap package but it installed 3.0.7.
I then tried install 4.0 via “Software” but instead got an odd version called 3.0.7.1, ie a minor update to 3.0.7 it appears… I am too much of a noob with Linux although have been trying to learn using it already for a year… :(
What’s the word on the street for 4.0? It was supposed to come out in August but not holding my breath for that window.
Notwithstanding what DoNotAutoUpdate said above, I updated using VLC x64’s internal updater. Installation halted when the installer needed to do something with C:\Program Files\vlc.exe, and then again when it needed to do something with C:\Program Files\VLC Media Player\plugins\lua\liblua_plugin.dll. On both halts, I unlocked the file in question using IObit Unlocker and then hit Retry. The installer ran to completion and VLC loaded just fine. If it turns out that VLC isn’t fully functional, I’ll just download the standalone installer and run that.
I’m slowly transitioning to Linux, so I only use media players that are supported in *both* Windows and Linux for now. (There’s only so many GUIs and sets of shortcut keys I want to have to hop back and forth between, and customizing shortcut keys to make them more uniform across different apps is kind of a hassle across multiple computers, especially if you progressively refine the customizations as you go, in different computers!) I mostly use SMPlayer for video because of its *markedly* sharper and more stable video rendering on my 9- and 10-year-old laptops with integrated graphics, but I still use VLC for audio because its playlist management is less clumsy than SMPlayer’s. I think VLC might still support a wider range of video formats than SMPlayer, but in practice I rarely (if ever) come across media in formats that SMPlayer doesn’t support.
Avast should acquire VLC and then we wouldn’t have such problems. Also, then Avast could add all sorts of helpful tools to VLC, like Pitiform’s CCleaner. Wouldn’t that be great!?
Haha. Yeah, and they can add a silent AvastAV installation without consent in there too, brilliant. Hold on, why not a Facebook acquisition?!
Martin, I got this error after downloading the installer through the built in updater in VLC on windows 10 :- https://ibb.co/vBwLhSM
Any way to remedy this without uninstalling the entire software in the process ?
Bobo, it worked for me (vlc-3.0.8-win64.exe). I first removed my old VLC first though, if that matters. Also, I installed with the minimum options (no network stuff, no associations). Then I tested it in a sandbox and it plays my video and music. No issues so far.
I manually downloaded the exe from the website as it was going to overwrite the previous installation anyway while maintaining the original settings, yeah, but never needed to do this VLC in the first place, but it is FOSS and great at what it does, so a little work in this case doesn’t matter .
Bobo? Oops, that was for you TenguChan
@barfeert hur hur hur bobo bobo bobo
Could be a download error or corruption. Maybe download directly from VideoLAN and try to update that way?
Yeah, I did exactly what you said after I encountered this error, installed fine that way with my default settings , didn’t get this error on my laptop which runs mint though, so I thought you would like to know if it happened to be a bug in the windows installer .
Never auto-update anything! In most cases, auto-update is more or less calling-home spyware. If you want to stay safe, do manual updates only.
Funny when a mediaplayer gets so bloated it’s a constant security hazard.. How about getting rid of 95% bloat/features/code and you know, just play local media files instead of trying to make it do your taxes and walk your dog too? Oh and for God’s sake never ever update the UI, that’s the best and funniest part of this fiasco behemoth software. Winner of the Super-Fugliest UI 20 years in a row too, now that’s something to brag about!
..just gonna make some popcorn now =)
Some of the buffer overflow vulnerabilities could allow code execution. VLC is fixed now, but I wonder if other players’ demuxers could be affected in a similar way. Maybe is time to only open video files in a VM or just use Sandboxie.
Good idea. Wish more people knew about Sandboxie or VM. Isolating foreign executable or executable that can connect to the internet or run potentially crafted malware vectors are what we smarty farties at ghacks do.
@Steve – That’s a brilliant point! I didn’t even think of that, and I’m a super genius. So, I imagine it’s a good idea to just use VLC for now. Personally, I prefer MPC-BE, but I will now use VLC in my sandbox for now, at least until more about this issue goes public and such.
love this video player. I use it on Windows and on Android
These days, one can’t simply trust developers and organizations anymore so updates (security or not) get installed after being thoroughly tested in the lab. That’s why neither Windows 10 1809 not Windows 10 1903 got installed here yet. The silly folks at Microsoft simply don’t care and knowingly shipped Windows 10 1809/1903 with major bugs such as memory leaks that suck GBs of memory in just a couple of days or prevent access to the microphone because the smart alecks at Microsoft decided to expand ‘App Privacy Settings’ to all programs running on the computer. In short terms, idiots and script kiddies rule the show these days so be warned. However, the VLC folks do a great job and updating VLC is usually a no-brainer.
What are you talking about? I have installed 1903 and it works just fine.
You might feel so, but that does not mean anything, right?
Please elaborate on memory leaks in Windows 1903.
Just search the Microsoft Feedback hub (Hyper-V). The bug has been filed by someone from Microsoft.
Thank you.
Can anyone be more specific about what “Misc: Update Youtube script” actually does?
Maybe this is the script that allows VLC to extract and play a Youtube video by just pasting the Youtube URL in VLC, and it needs to be updated when Youtube is modified ?
Unfortunately not, only this bit: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=HEAD
Clicked your link and got this. hehe
NoScript detected a potential Cross-Site Scripting attack
from https://www.ghacks.net to http://git.videolan.org.
Suspicious data: (URL) http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=HEAD