4

This is latest security advisory from VLC

Security Advisory 1901

Summary : Read buffer overflow & double free Date
: June 2019 Affected versions : VLC media player 3.0.6 and earlier ID : VideoLAN-SA-1901 CVE reference : CVE-2019-5439, CVE-2019-12874

Details

A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. Threat mitigation

Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.

ASLR and DEP help reduce exposure, but may be bypassed. Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Solution

VLC media player 3.0.7 addresses the issue.

According to them, installing VLC media player 3.0.7 will fix the issue.

However, the one available in Ubuntu is the old version 3.0.4

user@linux:~$ apt show vlc
Package: vlc
Version: 3.0.4-1ubuntu0.2
Priority: optional
Section: universe/graphics
Origin: Ubuntu

Isn't this considered as high security risk?

karel
  • 114,770
Sabrina
  • 2,003
  • 5
  • 24
  • 28

1 Answers1

3

To install the vlc snap package version 3.0.7 in all currently supported versions of Ubuntu open the terminal and type:

sudo snap install vlc

VLC is the VideoLAN project's media player. Completely open source and privacy-friendly, it plays every multimedia file and streams. The vlc snap package will be updated automatically in the background when updates are available.

The Linux ecosystem has several methods for opting out of security risks like this one. If there isn't an updated snap package available sometimes it is possible to install an updated version of the same package in a virtual environment, for example with python3-kivy which has a bug in 18.04 using this workaround. Another possible safe alternative is to search for an updated flatpak package of the same application and install the flatpak package in your own home directory as a normal user without root privileges.

karel
  • 114,770
  • Thanks, VLC is just an example. What about other software? e.g. https://askubuntu.com/questions/1149720/why-does-ubuntu-offer-an-old-version-of-gns3-instead-of-the-latest-one – Sabrina Jun 23 '19 at 11:43
  • If you're worried about security, read the security notices Canonical/Ubuntu put out - eg. https://usn.ubuntu.com/4074-1/ (these are easiest to search via CVE I think, but are covered in news releases, ubuntu security podcast etc) Security fixes are back-ported to the existing Ubuntu version for each release, UNLESS back-porting is more work than moving the release to the later upstream fixed version. – guiverc Nov 30 '19 at 12:13