VLC Media Player 3.0.8 is a security update - gHacks Tech News

VLC Media Player 3.0.8 is a security update

VideoLAN, the organization behind one of the most popular media players VLC Media Player, released VLC Media Player 3.0.8 today.

VLC Media Player 3.0.8 is a security update that patches a total of 13 different security issues in the client.  The update is not related to a recently disclosed vulnerability that a too eager researcher attributed to VLC Media Player. It turned out that VLC was not vulnerable but that the researcher ran an older version of Ubuntu.

The update is not picked up yet by the player's automatic update function nor is it listed on the official VideoLAN website. It is available on the official Download VideoLAN download site for all supported operating systems, however.

vlc media player 3.0.8

You may download the new release and install it over the old. Whether you will do that right away or wait for the official release notification by VideoLAN is up to you. Cautious users may want to wait for the official announcement to download the new version either from the VideoLAN website or by using the application's integrated updater.

The new version of VLC patches the following issues in previous versions of the client application.

  • Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
  • Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
  • Fix a read buffer overflow in the FAAD decoder
  • Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
  • Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
  • Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
  • Fix a use after free in the ASF demuxer (CVE-2019-14533)
  • Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
  • Fix a null dereference in the dvdnav demuxer
  • Fix a null dereference in the ASF demuxer (CVE-2019-14534)
  • Fix a null dereference in the AVI demuxer
  • Fix a division by zero in the CAF demuxer (CVE-2019-14498)
  • Fix a division by zero in the ASF demuxer (CVE-2019-14535)

You may look up the vulnerabilities with CVE IDs, e.g. on https://cve.mitre.org/. Note that the issues are not available to the public at the time of writing.

VLC Media Player 3.0.8 is a security update first and foremost. The update makes other a handful of other non-security related changes as well:

  • Core: Fix stuttering for low framerate videos
  • Demux: Fix glitches in TS over HLS
  • Demux: Add real probing of HLS streams
  • Demux: Fix HLS MIME type fallback
  • Misc: Update Youtube script
  • Audio Output: Fix stuttering or blank audio when starting or seeking when using
    external audio devices (bluetooth for example)
  • Audio Output: Fix AV synchronization when using external audio devices on Mac OS.
  • Stream Output: Fix transcoding when the decoder does not set the chroma

Work on VLC Media Player 4.0 continues meanwhile as well.

Now You: When you do install security updates for your applications? (via Deskmodder)

Summary
VLC Media Player 3.0.8 is a security update
Article Name
VLC Media Player 3.0.8 is a security update
Description
VideoLAN, the organization behind one of the most popular media players VLC Media Player, released VLC Media Player 3.0.8 today.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Dave said on August 19, 2019 at 2:41 pm
    Reply

    Can anyone be more specific about what “Misc: Update Youtube script” actually does?

    1. Martin Brinkmann said on August 19, 2019 at 2:50 pm
      Reply
      1. Dave said on August 20, 2019 at 6:29 am
        Reply

        Clicked your link and got this. hehe

        NoScript detected a potential Cross-Site Scripting attack
        from https://www.ghacks.net to http://git.videolan.org.
        Suspicious data: (URL) http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=HEAD

    2. Anonymous said on August 19, 2019 at 4:31 pm
      Reply

      Maybe this is the script that allows VLC to extract and play a Youtube video by just pasting the Youtube URL in VLC, and it needs to be updated when Youtube is modified ?

  2. VLCisCool said on August 19, 2019 at 7:27 pm
    Reply

    These days, one can’t simply trust developers and organizations anymore so updates (security or not) get installed after being thoroughly tested in the lab. That’s why neither Windows 10 1809 not Windows 10 1903 got installed here yet. The silly folks at Microsoft simply don’t care and knowingly shipped Windows 10 1809/1903 with major bugs such as memory leaks that suck GBs of memory in just a couple of days or prevent access to the microphone because the smart alecks at Microsoft decided to expand ‘App Privacy Settings’ to all programs running on the computer. In short terms, idiots and script kiddies rule the show these days so be warned. However, the VLC folks do a great job and updating VLC is usually a no-brainer.

    1. Sebas said on August 19, 2019 at 8:53 pm
      Reply

      Please elaborate on memory leaks in Windows 1903.

      1. AskMicrosoft said on August 20, 2019 at 5:12 am
        Reply

        Just search the Microsoft Feedback hub (Hyper-V). The bug has been filed by someone from Microsoft.

      2. Sebas said on August 20, 2019 at 8:38 am
        Reply

        Thank you.

    2. Watako Tatako said on August 20, 2019 at 3:50 am
      Reply

      What are you talking about? I have installed 1903 and it works just fine.

      1. AskMicrosoft said on August 20, 2019 at 5:16 am
        Reply

        You might feel so, but that does not mean anything, right?

  3. binocry said on August 19, 2019 at 10:03 pm
    Reply

    love this video player. I use it on Windows and on Android

  4. Steve said on August 20, 2019 at 8:27 am
    Reply

    Some of the buffer overflow vulnerabilities could allow code execution. VLC is fixed now, but I wonder if other players’ demuxers could be affected in a similar way. Maybe is time to only open video files in a VM or just use Sandboxie.

    1. barfeert said on August 20, 2019 at 10:01 am
      Reply

      @Steve – That’s a brilliant point! I didn’t even think of that, and I’m a super genius. So, I imagine it’s a good idea to just use VLC for now. Personally, I prefer MPC-BE, but I will now use VLC in my sandbox for now, at least until more about this issue goes public and such.

    2. please_kill_me said on August 21, 2019 at 4:01 pm
      Reply

      Good idea. Wish more people knew about Sandboxie or VM. Isolating foreign executable or executable that can connect to the internet or run potentially crafted malware vectors are what we smarty farties at ghacks do.

  5. Bobo said on August 20, 2019 at 9:49 am
    Reply

    Funny when a mediaplayer gets so bloated it’s a constant security hazard.. How about getting rid of 95% bloat/features/code and you know, just play local media files instead of trying to make it do your taxes and walk your dog too? Oh and for God’s sake never ever update the UI, that’s the best and funniest part of this fiasco behemoth software. Winner of the Super-Fugliest UI 20 years in a row too, now that’s something to brag about!
    ..just gonna make some popcorn now =)

  6. TenguChan said on August 20, 2019 at 9:56 am
    Reply

    Martin, I got this error after downloading the installer through the built in updater in VLC on windows 10 :- https://ibb.co/vBwLhSM

    Any way to remedy this without uninstalling the entire software in the process ?

    1. Martin Brinkmann said on August 20, 2019 at 10:03 am
      Reply

      Could be a download error or corruption. Maybe download directly from VideoLAN and try to update that way?

      1. TenguChan said on August 20, 2019 at 1:26 pm
        Reply

        Yeah, I did exactly what you said after I encountered this error, installed fine that way with my default settings , didn’t get this error on my laptop which runs mint though, so I thought you would like to know if it happened to be a bug in the windows installer .

      2. DoNotAutoUpdate said on August 20, 2019 at 2:01 pm
        Reply

        Never auto-update anything! In most cases, auto-update is more or less calling-home spyware. If you want to stay safe, do manual updates only.

    2. barfeert said on August 20, 2019 at 10:19 am
      Reply

      Bobo, it worked for me (vlc-3.0.8-win64.exe). I first removed my old VLC first though, if that matters. Also, I installed with the minimum options (no network stuff, no associations). Then I tested it in a sandbox and it plays my video and music. No issues so far.

      1. barfeert said on August 20, 2019 at 12:26 pm
        Reply

        Bobo? Oops, that was for you TenguChan

      2. TenguChan said on August 20, 2019 at 1:32 pm
        Reply

        @barfeert hur hur hur bobo bobo bobo

      3. TenguChan said on August 20, 2019 at 1:31 pm
        Reply

        I manually downloaded the exe from the website as it was going to overwrite the previous installation anyway while maintaining the original settings, yeah, but never needed to do this VLC in the first place, but it is FOSS and great at what it does, so a little work in this case doesn’t matter .

  7. 2fat4u said on August 20, 2019 at 10:12 am
    Reply

    Avast should acquire VLC and then we wouldn’t have such problems. Also, then Avast could add all sorts of helpful tools to VLC, like Pitiform’s CCleaner. Wouldn’t that be great!?

    1. Coneiforme said on August 21, 2019 at 4:37 pm
      Reply

      Haha. Yeah, and they can add a silent AvastAV installation without consent in there too, brilliant. Hold on, why not a Facebook acquisition?!

  8. Peterc said on August 20, 2019 at 5:54 pm
    Reply

    Notwithstanding what DoNotAutoUpdate said above, I updated using VLC x64’s internal updater. Installation halted when the installer needed to do something with C:\Program Files\vlc.exe, and then again when it needed to do something with C:\Program Files\VLC Media Player\plugins\lua\liblua_plugin.dll. On both halts, I unlocked the file in question using IObit Unlocker and then hit Retry. The installer ran to completion and VLC loaded just fine. If it turns out that VLC isn’t fully functional, I’ll just download the standalone installer and run that.

    I’m slowly transitioning to Linux, so I only use media players that are supported in *both* Windows and Linux for now. (There’s only so many GUIs and sets of shortcut keys I want to have to hop back and forth between, and customizing shortcut keys to make them more uniform across different apps is kind of a hassle across multiple computers, especially if you progressively refine the customizations as you go, in different computers!) I mostly use SMPlayer for video because of its *markedly* sharper and more stable video rendering on my 9- and 10-year-old laptops with integrated graphics, but I still use VLC for audio because its playlist management is less clumsy than SMPlayer’s. I think VLC might still support a wider range of video formats than SMPlayer, but in practice I rarely (if ever) come across media in formats that SMPlayer doesn’t support.

  9. Coneiforme said on August 21, 2019 at 4:38 pm
    Reply

    What’s the word on the street for 4.0? It was supposed to come out in August but not holding my breath for that window.

  10. Someone Help Me :( said on August 23, 2019 at 8:48 am
    Reply

    How do I get 3.0.8 on Ubuntu, I tried the snap package but it installed 3.0.7.

    I then tried install 4.0 via “Software” but instead got an odd version called 3.0.7.1, ie a minor update to 3.0.7 it appears… I am too much of a noob with Linux although have been trying to learn using it already for a year… :(

  11. Erik said on September 7, 2019 at 6:32 pm
    Reply

    Anyone know how to get back, roll back…
    This update is screwed up. and does not play sound right at all.
    Cant find a way to get the last working version back.

    Any one know how?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.