VLC media player version 1.0.6 release - vulnerabilities removed, stability improved
Version 1.0.6 (part of the 'Goldeneye' branch) of the free media player and streamer – VLC media player – eliminates nine security vulnerabilities and offers increased stability. The vulnerabilities were discovered by the developers while working on the code for the upcoming version 1.1.0 and include heap overflows in the audio decoders for DTS, MPEG and A/52, and memory access errors in the AVI, ASF and Matroska demultiplexers.
Some of the flaws could probably be exploited to inject and execute code via crafted media files. For such an attack to succeed the user would have to download and open a file - for example a video file from a manipulated file hosting service.
The module for Real Time Messaging Protocol (RTMP) was completely removed for safety reasons and the developers plan to restore RTMP input based on FFmpeg in VLC version 1.1.0. A complete list of changes is available on the VLC media player 1.0.6 source page. The new version is currently only available as source code, but the binaries for Windows and Mac OS X, are likely to be available soon.
The upcoming version 1.1.0, the start of 'The Luggage' branch of the code, for the first time supports H.264, and MPEG-VC-1 / WMV movie decoding via the graphics card hardware on Windows Vista, Windows 7 and Linux. VLC is released under version 2 of the GNU General Public License (GPLv2).
- Security Advisory 1003, from VideoLAN.
- VLC 1.1.0 preview adds GPU acceleration, a report from The H.