VLC Media Player 1.1.7 addresses critical vulnerability
The VideoLAN project has issued version 1.1.7 of its VLC Media Player, a free open source cross-platform multimedia player for various audio and video formats. This eight release of the 1.1.x branch of VLC is a maintenance and security update that addresses a critical vulnerability that was reported earlier this week.
VLC 1.1.7 fixes a security issue in a demuxer which could be exploited using specially crafted MKV (Matroska Video and WebM) videos to inject malicious code onto a system and execute that code with the user's privileges. The root of the problem lies with insufficient input validation in the MKV demuxer plugin (libmkv_plugin.*). The update consists in swapping a single line within a macro. All versions up to and including 1.1.6 are reportedly affected. Other changes include various bug fixes and translation updates. The developers encourage all users to update to the latest release.
This 1.1.7 release is the second update to arrive in the past few weeks. In late January, the project issued VLC 1.1.6 to close a critical vulnerability that could have caused heap corruption, which could in turn have been exploited to inject and execute malicious code.
Further information about the 1.1.7 update can be found in the release announcement and in the security advisory – see link below. At the time of this posting, the expected What's new in 1.1.7 page has yet to be published. VLC 1.1.7 is available to download from the project's home page for Windows, Mac OS X and Linux. VLC is released under version 2 of the GNU General Public License (GPLv2).
- Security Advisory 1102, security advisory from the VideoLAN project.