CERT-Bund warns that VLC media player version 3.0.7.1, the latest build available, contains a vulnerability which has been awarded a CVSS score of 9.8 out of 10.
"A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files," as noted by ESET.
The vulnerability is known to exist in the latest version of VLC on Windows, Linux, and Unix machines, but it is possible the bug is also present in past builds.
Tracked as CVE-2019-13615, the security flaw does not require privilege escalation or user interaction to exploit.
Remote code execution vulnerability in VLC
Remote code execution vulnerability in VLC
https://www.zdnet.com/article/remote-co ... -unpatched
Changed 2 days ago by Jean-Baptiste Kempf
Component: Demuxers → Demuxers: MKV
Work status: 60% → Not started
This does not crash a normal release of VLC 3.0.7.1
comment:3 Changed 5 hours ago by Francois Cartegnie
If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.
Do you know a good gtkdialog program? Please post a link here
Classic Puppy quotes
ROOT FOREVER
GTK2 FOREVER
Classic Puppy quotes
ROOT FOREVER
GTK2 FOREVER
Also, from vlc's official twitter account @videolan at https://twitter.com/videolan/status/1153963312981389312 which was posted recently on https://news.ycombinator.com/item?id=20513702
About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.