July 23, 2014

VLC fixes a couple of security vulnerabilities and adds support for Retina display on the new MacBook Pro

VLC 2.0.2 “Twoflower”, which is being called “an important update”, has been released by the VLC project team to fix a series of regressions to the 2.0.x branch of VLC, to fix a couple of security vulnerabilities and to add support for Apple’s Retina Display (HiDPI) on the new MacBook Pros.

According to the release page, 2.0.2 fixes a couple of hundreds of bugs, and adds more than 500 commits on top of 2.0.1. These fixes include:

  • Fix video output for old graphic cards on Windows XP, which are using DirectX
  • Fix video output on old Macs, notably PowerPC and GMA950 intel Macs.
  • Fixes for splitted RAR, MKV segmented, mp4 and Real media files playback.
  • Fixes for subtitles auto-detection
  • Fixes on Qt, skins2 and web interfaces
  • Fixed crash when trying to open an Audio CD by drag & drop
  • Fixed a crash when attaching hard drives with multiple partitions while VLC is running

According to a blog post by VLC developer Felix Kühne, VLC 2.0.2 also includes the following security content:

  • Fixed Ogg Heap buffer overflow
  • Updated taglib (CVE-2012-2396)

CVE-2012-2396 describes how VLC 2.0.1 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a specially crafted MP4 file. More details on this can be found here where an exploit and POC are given.

More details about VLC 2.02 can be found in the release notes and it can be downloaded for Windows, Mac OS X and Linux here.

Critical Vulnerabilities Found and Fixed in VLC Player but Opera Web Browser Not so Lucky Yet

Opera LogoTwo critical heap corruption vulnerabilities have been discovered in the
rarely used decoder for the CDG format in the VLC player. These index validation bugs could theoretically allow a maliciously crafted CDG video to corrupt the heap in a deliberate manner and potentially execute injected code.

As a response to these bugs, and a problem with the Real demuxer which could allow a remote denial of service attack, VLC V1.1.6 has been released. Other changes in V1.1.6 include faster Webm/VP8 decoding.

V1.1.5 of VLC was downloaded 58 million times since its release two months ago and the fixes are for potential exploitable vulnerabilities although no actual practical exploits have been documented. This can’t be said however for the Opera Web browser.

Back in January a bug report was posted by Jordi Chancel which identified a vulnerability in Opera’s handling of a HTML “select” element containing an overly large number of children. This bug could be exploited by remote attackers to take complete control of a vulnerable system.

It now appears that VUPEN have succeeded in using this exploit to inject and execute code. This now means that specially crafted web pages could exploit this vulnerability and infect Windows systems with malware. The bug has been confirmed in Opera 11.00 and earlier and 10.63 and earlier for Windows 7 and XP SP3. At present there’s no patch or update for the problem.