[Security Update] 2019-08-19 - VLC 3.0.8

VLC 3.0.8

I have built and pushed VLC 3.0.8-0 to the following branches:

  • stable
  • testing
  • unstable (-0.1)
     
  • x32-stable
  • x32-testing
  • x32-unstable (-0.1)

As is always the case for a short-turnaround update, this package has had only minimal testing.


Security advisory: https://www.videolan.org/security/sb-vlc308.html
Release notes: https://www.videolan.org/vlc/releases/3.0.8.html
Full changelog: https://www.videolan.org/developers/vlc-branch/NEWS
Overlay packaging files: https://gitlab.manjaro.org/security-overlay/vlc

Security:
 * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
 * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
 * Fix a read buffer overflow in the FAAD decoder
 * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
 * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
 * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
 * Fix a use after free in the ASF demuxer (CVE-2019-14533)
 * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
 * Fix a null dereference in the dvdnav demuxer
 * Fix a null dereference in the ASF demuxer (CVE-2019-14534)
 * Fix a null dereference in the AVI demuxer
 * Fix a division by zero in the CAF demuxer (CVE-2019-14498)
 * Fix a division by zero in the ASF demuxer (CVE-2019-14535)

Any issues?

  • 3.0.8-0 is working fine
  • 3.0.8-0 is broken for me (post details)
  • 3.0.8-0.1 is working fine
  • 3.0.8-0.1 is broken for me (post details)

0 voters

30 Likes

Wow I founded out about vlc issue right from this topic

1 Like

Nice to have, read about v3.0.8 earlier on twitter, from their post:

Of course, the biggest "feature" is the number bump to 3.0.8 so that 'security scanners' stop warning about our past "security issue". :smiley:

Building with a vulnerable libebml will result in build failure.

Finally, starting from this release, we're starting to publish security bulletins for the VLC releases: https://videolan.org/security/sb-vlc308.html

1 Like

Since the update to VLC 3.0.8 the following problem: if I close the VLC after playing any video file (mkv, mp4 whatever), XFCE logs off completely and I have to log on again. Error can be reproduced as often as you like.

Data point: I can't reproduce under MATE on unstable.

1 Like

I forgot to say: I use 18.10 rc 8. Maybe that's the reason?

That version only exists on the live installer environment; once installed it's "Manjaro".

If you're on testing can you try the package from unstable ?

What I have to do? must switch to unstable branch to download this?

Or just grab the package from a mirror.

Why we will need to wait for 2 months to update?? 10-19?:upside_down_face::upside_down_face::upside_down_face::upside_down_face::upside_down_face::upside_down_face:

1 Like

xfce-gtk3-minimal, works OOTB. :100:

Yes. Anyone who already downloaded the package must wait until October before they are allowed to use it... :joy:


I've added a poll to check how many people are having issues. If problems are isolated then I don't have to worry as much about the package.

1 Like

A post was merged into an existing topic: VLC crashes, "free(): double free detected in tcache 2"

this is the worst timeline

By the way, maybe not directly related to the question but talking about vlc, does anyone have any information about VLSub? A way to fix it ?
It hasn't worked for me for some time now, I've been looking for information but I've never found anything relevant. Just some old things (maybe that is why it is not working anymore).

Forum kindly sponsored by Bytemark