[SRU] Update to bugfix release 3.0.8 in Bionic

Bug #1812480 reported by Mike Neac on 2019-01-19
264
This bug affects 3 people
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Undecided
Unassigned

Bug Description

[Impact]

VLC has received a bugfix update on the 3.0.x release path, which was recommended to us for additional stability in the Long Term Support release.

[Test Case]

Install vlc from bionic-proposed and test it for a decent amount of time. Play different video formats to catch any regressions, and use it as you normally would.

[Regression Potential]

The 3.0.x branch receives only bug fixes, which are cherry-picked from the master branch where the main development takes place. So, I think the regression potential is low.

[Other Info]

Here is the upstream Git repository: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=summary

Upstream changelog:

Changes between 3.0.7.1 and 3.0.8:
----------------------------------

Core:
 * Fix stuttering for low framerate videos

Demux:
 * Fix channel ordering in some MP4 files
 * Fix glitches in TS over HLS
 * Add real probing of HLS streams
 * Fix HLS MIME type fallback

Decoder:
 * Fix WebVTT subtitles rendering

Stream filter:
 * Improve network buffering

Misc:
 * Update Youtube script

Audio Output:
 * macOS/iOS: Fix stuttering or blank audio when starting or seeking when using external audio devices (bluetooth for example)
 * macOS: Fix AV synchronization when using external audio devices

Video Output:
 * Direct3D11: Fix hardware acceleration for some AMD drivers

Stream output:
 * Fix transcoding when the decoder does not set the chroma

Security:
 * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
 * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
 * Fix a read buffer overflow in the FAAD decoder
 * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
 * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
 * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
 * Fix a use after free in the ASF demuxer (CVE-2019-14533)
 * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
 * Fix a null dereference in the dvdnav demuxer
 * Fix a null dereference in the ASF demuxer (CVE-2019-14534)
 * Fix a null dereference in the AVI demuxer
 * Fix a division by zero in the CAF demuxer (CVE-2019-14498)
 * Fix a division by zero in the ASF demuxer (CVE-2019-14535)

Contribs:
 * Update to a newer libmodplug version (0.8.9.0)

Alex Murray (alexmurray) on 2019-01-22
information type: Private Security → Public
Sebastian Ramacher (s-ramacher) wrote :

> * Fix CAF integer-underflow

This change fixes CVE-2018-19857.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in vlc (Ubuntu):
status: New → Confirmed
P.D. (paed808) wrote :

Please update VLC so I can stop using a third party PPA for the latest version.

Sebastian Ramacher (s-ramacher) wrote :

vlc 3.0.7 was released fixing another 20+ security issues. So please update to 3.0.7 instead.

P.D. (paed808) on 2019-06-13
summary: - [SRU] Update to bugfix release 3.0.6 in Bionic
+ [SRU] Update to bugfix release 3.0.7 in Bionic

Will this ever be updated for Bionic?
I don't like the sound of "remote code execution exploit."
Apt version is now vulnerable, best way to install/update as of now appears to be snap.

information type: Public → Public Security
summary: - [SRU] Update to bugfix release 3.0.7 in Bionic
+ [SRU] Update to bugfix release 3.0.8 in Bionic
description: updated
tags: added: bionic
removed: cve-2018-19857
Changed in vlc (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers