Headline
Ubuntu Security Notice USN-6180-1
Ubuntu Security Notice 6180-1 - It was discovered that VLC could be made to read out of bounds when decoding image files. If a user were tricked into opening a crafted image file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that VLC could be made to write out of bounds when processing H.264 video files. If a user were tricked into opening a crafted H.264 video file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
==========================================================================Ubuntu Security Notice USN-6180-1June 20, 2023vlc vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS (Available with Ubuntu Pro)- Ubuntu 20.04 LTS (Available with Ubuntu Pro)- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in VLC media player.Software Description:- vlc: multimedia player and streamerDetails:It was discovered that VLC could be made to read out of bounds whendecoding image files. If a user were tricked into opening a crafted imagefile, a remote attacker could possibly use this issue to cause VLC tocrash, leading to a denial of service. This issue only affected Ubuntu16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-19721)It was discovered that VLC could be made to write out of bounds whenprocessing H.264 video files. If a user were tricked into opening acrafted H.264 video file, a remote attacker could possibly use this issueto cause VLC to crash, leading to a denial of service, or possiblyexecute arbitrary code. This issue only affected Ubuntu 18.04 LTS andUbuntu 20.04 LTS. (CVE-2020-13428)It was discovered that VLC could be made to read out of bounds whenprocessing AVI video files. If a user were tricked into opening a craftedAVI video file, a remote attacker could possibly use this issue to causeVLC to crash, leading to a denial of service. This issue only affectedUbuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-25801,CVE-2021-25802, CVE-2021-25803, CVE-2021-25804)It was discovered that the VNC module of VLC contained an arithmeticoverflow. If a user were tricked into opening a crafted playlist orconnecting to a rouge VNC server, a remote attacker could possibly usethis issue to cause VLC to crash, leading to a denial of service, orpossibly execute arbitrary code. (CVE-2022-41325)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10: vlc 3.0.17.4-5ubuntu0.1 vlc-plugin-access-extra 3.0.17.4-5ubuntu0.1Ubuntu 22.04 LTS (Available with Ubuntu Pro): vlc 3.0.16-1ubuntu0.1~esm1 vlc-plugin-access-extra 3.0.16-1ubuntu0.1~esm1Ubuntu 20.04 LTS (Available with Ubuntu Pro): vlc 3.0.9.2-1ubuntu0.1~esm1 vlc-plugin-access-extra 3.0.9.2-1ubuntu0.1~esm1Ubuntu 18.04 LTS (Available with Ubuntu Pro): vlc 3.0.8-0ubuntu18.04.1+esm1 vlc-plugin-access-extra 3.0.8-0ubuntu18.04.1+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro): vlc 2.2.2-5ubuntu0.16.04.5+esm2In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6180-1 CVE-2019-19721, CVE-2020-13428, CVE-2021-25801, CVE-2021-25802, CVE-2021-25803, CVE-2021-25804, CVE-2022-41325Package Information: https://launchpad.net/ubuntu/+source/vlc/3.0.17.4-5ubuntu0.1
Related news
Gentoo Linux Security Advisory 202409-17 - Multiple vulnerabilities have been discovered in VLC, the worst of which could result in arbitrary code execution. Versions greater than or equal to 3.0.20 are affected.
Debian Linux Security Advisory 5297-1 - A buffer overflow was discovered in the VNC module of the VLC media player, which could result in the execution of arbitrary code.
An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions.
A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.