VLC Media Player 1.1.12 closes security hole
The VideoLAN project development team has announced the release of version 1.1.12 of the VLC Media Player. The maintenance and security update addresses a NULL dereference vulnerability in the HTTP and RTSP server component used by VLC which could be exploited by an attacker to crash the server process.
For an attack to be successful, a victim must have started VLC server and manually started the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions. Versions up to and including 1.1.11 are affected. According to the developers, the issue "does not affect standard usage of the player".
The thirteenth release of the 1.1.x branch of VLC also brings improvements for audio output: it adds support for AC-3 and DTS passthrough included in version 1.0 of PulseAudio, has fixes for PulseAudio synchronisation, and better support for Mac OS X 10.7 Lion. Other changes include Unix port compatibility updates, translation updates and fixes for bugs that cause VLC to crash on Japanese locale Mac OS X systems.
More details about the update, including a full list of changes, can be found in the release announcement and in the NEWS file. VLC 1.1.12 is available to download from the project's web site and is licensed under the GPLv2.
- NULL dereference in HTTP and RTSP server, a VideoLAN project security advisory.