VLC

VideoLan has released VLC Media Player 3.0.8 and it is now available for Windows, Mac, and Linux. This release fixed 13 security vulnerabilities as well as providing improvements to video playback.

The main improvements in this release includes a fix for stuttering while watching low frame rate videos, better adaptive streaming support, fixed WebVTT subtitle rendering, and improved audio output in macOS and iOS.

In addition, this release fixes 13 vulnerabilities that include numerous buffer overflow, null after free, null dereference, and division by zero vulnerabilities. Many of these vulnerabilities, if not all, were discovered directly by the VLC developers.

According to VideoLan's security bulletin, these vulnerabilities could be exploited by a remote user creating a specially crafted file and tricking a user into opening it. Doing so would trigger a crash or perform code execution in the security context of the logged in user.

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.

We have not seen exploits performing code execution through these vulnerabilities
While CVE CVE-2019-13602 & CVE-2019-13962 mention a base score of 8.8 and 9.8 respectively, the VideoLAN team believes this severity is highly exagerated; in our opinion, a base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) would be more reasonable.

CVE-2019-13962 only affects VLC 3.0.2 to 3.0.7.1

Due to the amount of security vulnerabilities fixed in this release, it is strongly advised that all users download and install version 3.0.8. 

The full change log for version 3.0.8 can be found below:

Changes between 3.0.7.1 and 3.0.8:
----------------------------------

Core:
 * Fix stuttering for low framerate videos

Demux:
 * Fix channel ordering in some MP4 files
 * Fix glitches in TS over HLS
 * Add real probing of HLS streams
 * Fix HLS MIME type fallback

Decoder:
 * Fix WebVTT subtitles rendering

Stream filter:
 * Improve network buffering

Misc:
 * Update Youtube script

Audio Output:
 * macOS/iOS: Fix stuttering or blank audio when starting or seeking when using
   external audio devices (bluetooth for example)
 * macOS: Fix AV synchronization when using external audio devices

Video Output:
 * Direct3D11: Fix hardware acceleration for some AMD drivers

Stream output:
 * Fix transcoding when the decoder does not set the chroma

Security:
 * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
 * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
 * Fix a read buffer overflow in the FAAD decoder
 * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
 * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
 * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
 * Fix a use after free in the ASF demuxer (CVE-2019-14533)
 * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
 * Fix a null dereference in the dvdnav demuxer
 * Fix a null dereference in the ASF demuxer (CVE-2019-14534)
 * Fix a null dereference in the AVI demuxer
 * Fix a division by zero in the CAF demuxer (CVE-2019-14498)
 * Fix a division by zero in the ASF demuxer (CVE-2019-14535)

Contribs:
 * Update to a newer libmodplug version (0.8.9.0)