The security issue fixed in this release is a NULL dereference vulnerability that causes a crash that occurrs when an invalid URL was processed by the HTTP and RTSP server components. If successful, a malicious third party could crash the server process, however arbitrary code execution is not believed possible.
For the vulnerability to be exploited the user has to explicitly start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions.
Other changes between 1.1.11 and 1.1.12:
- Mac OS X / auhal: multiple fixes for the Digital Audio output (S/PDIF) including support for OS X Lion
- Multiple fixes and improved synchronization for PulseAudio support
- Support for AC-3 and DTS passthrough with PulseAudio 1.0
- Fix crashes with Japanese locale on OS X
- Minor fixes for Webplugin under Win32, AVI demuxer, smem and AudioScrobbler
VLC 1.1.12 is available for download from the project’s web site