VLC Media Player 1.1.6 fixes critical vulnerabilities
The VideoLAN project developers have announced the release of version 1.1.6 of their VLC Media Player, a free open source cross-platform multimedia player for various audio and video formats. The seventh release of the 1.1.x branch of VLC is a maintenance and security update that includes various bug fixes and improvements.
VLC 1.1.6 addresses security issues in the Real demuxer, the subtitle decoder and two previously reported critical heap corruption vulnerabilities; these are in the relatively rarely used CDG format decoder. Using VLC to play manipulated video in this format could cause heap corruption, which could in turn be exploited to inject and execute malicious code. At the time of this posting, the VideoLAN security information page has yet to be updated.
Other changes include visualisation improvements for projectM and goom, PulseAudio output updates, faster WebM / VP8 decoding and support for audio/L24 in RTP. The update also includes fixes for Audio CD playback on Windows systems, Mac OS X SSA fontcache, as well as Qt4 and Media Keys processing improvements.
More details about the update can be found in the official release announcement and on the What's new in 1.1.6 page. VLC 1.1.6 is available to download from the project's home page for Windows, Mac OS X and Linux. VLC is released under version 2 of the GNU General Public License (GPLv2).
See also:
- VLC Media Player Multiple Vulnerabilities, security advisory from Secunia.
(crve)