VLC 2.0.6 fixes hole from January
The release of VLC 2.0.6 means that a hole discovered in January is now officially closed. The bug in question was a buffer overflow in the ASF demuxer which could potentially be tricked into executing arbitrary code when a user opened a specially crafted ASF movie. The fix had been applied to the development code in January, but it's only now that the update has been officially released; users of the VLC nightly builds were protected against the flaw but were exposed to other bugs as new features were developed. Another flaw, a user-after-free crash when playing back Ogg files, was also fixed.
VLC 2.0.6 also has a range of new features and improvements in it. Playback of Apple-lossless audio has been enhanced, MKV playback handles Matroska v4, and regressions have been corrected when playing AVI files with palleted codecs. There are also updated codecs and third-party libraries which are said to offer general improvements all round, including DVD playback. Connecting to HTTPS servers will also be more reliable as VLC now accepts some certificates it previously rejected.
The Linux version of VLC rejects broken versions of PulseAudio and offers "numerous" improvements to the D-Bus and MPRIS2 interfaces. On Mac OS X, VLC has better fullscreen subtitle rendering and controller, and various fixes for the audio filter UI, video output code, folder selection and UI drawing issues. Windows users with Intel HD2000/3000 cards will find GPU decoding has been fixed too.
VLC 2.0.6 is available to download from the applications page on Videolan.org. Automatic updates for Windows are expected to start soon. VLC is licensed under a combination of GPLv2 (for the application) and LGPLv2 (for the core libraries).
(djwm)