VLC Media Player 2.0.1 closes security holes
Version 2.0.1 of the open source VLC Media Player has been released. According to VideoLAN developer Jean-Baptiste Kempf, the maintenance update to VLC 2.0 "Twoflower" includes fixes for more than 110 bugs and closes two security holes that could be exploited by an attacker to compromise a victim's system.
The update addresses a stack overflow in MMS support as well as a heap-based buffer overflow in Real RTSP support which, its developers say, could lead to arbitrary code execution on most systems. For an attack to be successful, a user must first open a specially crafted file or a malicious web site. All VLC versions up to and including 2.0.0 are affected; upgrading to 2.0.1 fixes these issues.
Non-security related updates in VLC 2.0.1 include the addition of support for MxPEG files and streams, decoding improvements and, on Mac OS X, the user interface is now said to be more customisable. Other changes include limited support for Blu-ray disc menus, and fixes for MKV, HTTP Live Streaming, CDDB and UDP/RTP support, as well as various other bug fixes.
A full list of changes in the update can be found in the NEWS file and in the release notes. VLC 2.0.1 is available to download for Windows, Mac OS X and Linux. VLC source code and binaries are licensed under the GPLv2.
See also:
- Stack overflow in VLC MMS support, a VideoLAN project security advisory.
- Heap overflows in VLC Real RTSP support, a VideoLAN project security advisory.
(crve)