Introduced media player release VLC 3.0.12 , which fixes several vulnerabilities , which could potentially lead to code execution when trying to play specially designed media files. The list of changes also notes the work on improving the security of the web interface.
From non-security improvements :
- Added new output and access modules with support for the RIST (Reliable Internet Stream Transport) protocol described in the specification VSF_TR -06-1 .
- Improved track support in the media container demuxer
Bluray, DASH format and cross-threading when handling WMV containers. Fixed crashes in AVI and MKV modules. - The interface in macOS assemblies has been adapted for the macOS Big Sur release.
- Added support for new Apple devices with M1 chip. This support has been improved in the next published VLC 3.0.12.1 update.
- Updated scripts for accessing YouTube and Vocaroo services.
Additionally, you can check vulnerability ( CVE-2021-3185 ) in the implementation of the h264parse module developed by the GStreamer project (included in the gstreamer-plugins-bad set). The problem is caused by a buffer overflow in the gst_h264_slice_parse_dec_ref_pic_marking function and allows you to organize the execution of your code when processing specially formatted H.264 data in Gstreamer. Vulnerability fixed in gstreamer updates 1.18.1 and 1.16 The researchers who identified the vulnerability claim that they were able to prepare an exploit prototype to launch an attack on systems with vulnerable GStreamer releases, but it is noted that in modern Linux distributions it will be much more difficult to exploit the problem due to the application of additional protection, such as canary tags and address randomization. .