Ubuntu Security Notice 6180-1 - It was discovered that VLC could be made to read out of bounds when decoding image files. If a user were tricked into opening a crafted image file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that VLC could be made to write out of bounds when processing H.264 video files. If a user were tricked into opening a crafted H.264 video file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
c52af8630ae166c542bdfafe10cf863aa88d4e80d4e6850258db0ed837428cb6
==========================================================================
Ubuntu Security Notice USN-6180-1
June 20, 2023
vlc vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in VLC media player.
Software Description:
- vlc: multimedia player and streamer
Details:
It was discovered that VLC could be made to read out of bounds when
decoding image files. If a user were tricked into opening a crafted image
file, a remote attacker could possibly use this issue to cause VLC to
crash, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-19721)
It was discovered that VLC could be made to write out of bounds when
processing H.264 video files. If a user were tricked into opening a
crafted H.264 video file, a remote attacker could possibly use this issue
to cause VLC to crash, leading to a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-13428)
It was discovered that VLC could be made to read out of bounds when
processing AVI video files. If a user were tricked into opening a crafted
AVI video file, a remote attacker could possibly use this issue to cause
VLC to crash, leading to a denial of service. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-25801,
CVE-2021-25802, CVE-2021-25803, CVE-2021-25804)
It was discovered that the VNC module of VLC contained an arithmetic
overflow. If a user were tricked into opening a crafted playlist or
connecting to a rouge VNC server, a remote attacker could possibly use
this issue to cause VLC to crash, leading to a denial of service, or
possibly execute arbitrary code. (CVE-2022-41325)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
vlc 3.0.17.4-5ubuntu0.1
vlc-plugin-access-extra 3.0.17.4-5ubuntu0.1
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
vlc 3.0.16-1ubuntu0.1~esm1
vlc-plugin-access-extra 3.0.16-1ubuntu0.1~esm1
Ubuntu 20.04 LTS (Available with Ubuntu Pro):
vlc 3.0.9.2-1ubuntu0.1~esm1
vlc-plugin-access-extra 3.0.9.2-1ubuntu0.1~esm1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
vlc 3.0.8-0ubuntu18.04.1+esm1
vlc-plugin-access-extra 3.0.8-0ubuntu18.04.1+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
vlc 2.2.2-5ubuntu0.16.04.5+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6180-1
CVE-2019-19721, CVE-2020-13428, CVE-2021-25801, CVE-2021-25802,
CVE-2021-25803, CVE-2021-25804, CVE-2022-41325
Package Information:
https://launchpad.net/ubuntu/+source/vlc/3.0.17.4-5ubuntu0.1