VideoLan developers released an updated version of VLC Media Player – 3.0.8. The new version eliminated 13 vulnerabilities and improved video playback functions.The security bulletin states that the operation of the identified problems can be triggered by the simple opening of a specially crafted malicious file or stream. Thus, it is possible to provoke the appearance of buffer overflow errors, bugs like use-after-free, division by zero, and so on. Successful exploitation of vulnerabilities leads either to malfunctioning of the media player, or can lead to the execution of arbitrary code with the rights of the current user.
“Although these problems separately are likely to cause malfunction of the player only, we cannot exclude the possibility that they can also be combined and cause a leak of user’s information or remote code execution. ASLR and DEP help to reduce this probability, but they can be bypassed”, – write developers.
Ten of the thirteen vulnerabilities were discovered by Semmle Security Team specialists: among them are out-of-bounds read problems (CVE-2019-14437 and CVE-2019-14776), out-of-bounds records (CVE-2019-14438 and CVE-2019-14970), division by zero (CVE-2019-14498 and CVE-2019-14535), bugs of the use-after-free type (CVE-2019-14533, CVE-2019-14777 and CVE-2019-14778), as well as dereferencing a null pointer (CVE-2019-14534).
VideoLan engineers note that although the vulnerabilities CVE-2019-13602 and CVE-2019-13962, which were discovered by independent information security researchers, were rated at 8.8 and 9.8 points on a ten-point CVSS scale, in their opinion, the severity of these problems is overestimated, and most likely, they can be assessed at 4.3 points. Moreover, CVE-2019-13962 affects only VLC versions from 3.0.2 to 22.214.171.124.
In addition, the bulletin notes that problem CVE-2019-14533 affects WMV and WMA files (ASF container) and may be triggered while scrolling video.