In association with heise online

02 February 2011, 11:09

VLC Media Player 1.1.7 addresses critical vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

VLC Logo The VideoLAN project has issued version 1.1.7 of its VLC Media Player, a free open source cross-platform multimedia player for various audio and video formats. This eight release of the 1.1.x branch of VLC is a maintenance and security update that addresses a critical vulnerability that was reported earlier this week.

VLC 1.1.7 fixes a security issue in a demuxer which could be exploited using specially crafted MKV (Matroska Video and WebM) videos to inject malicious code onto a system and execute that code with the user's privileges. The root of the problem lies with insufficient input validation in the MKV demuxer plugin (libmkv_plugin.*). The update consists in swapping a single line within a macro. All versions up to and including 1.1.6 are reportedly affected. Other changes include various bug fixes and translation updates. The developers encourage all users to update to the latest release.

This 1.1.7 release is the second update to arrive in the past few weeks. In late January, the project issued VLC 1.1.6 to close a critical vulnerability that could have caused heap corruption, which could in turn have been exploited to inject and execute malicious code.

Further information about the 1.1.7 update can be found in the release announcement and in the security advisory – see link below. At the time of this posting, the expected What's new in 1.1.7 page has yet to be published. VLC 1.1.7 is available to download from the project's home page for Windows, Mac OS X and Linux. VLC is released under version 2 of the GNU General Public License (GPLv2).

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit