- VLC releases a final bug-fixing version just before we enter the 4.0 branch age.
- There are 33 fixes to security flaws, with two being of high-severity, 21 of medium, and 10 of low.
- The next version will bring many new features and improvements, but we’ll have to wait.
VLC, the world’s most popular and widely used media player has released bug-fixing 3.0.7 which plugs 33 flaws, two of which are pretty severe. The application benefited from a recent HackerOne bug bounty program that was financially supported by the European Commission, which unveiled several security problems. Now, Jean-Baptiste Kempf, president of the open source project has announced that the team plugged all discoveries in 3.0.7, so everyone is urged to upgrade to the latest version immediately.
The two severe flaws are the following:
- An out-of-bounds write caused by a deficiency in the faad2 library, which is an unmaintained dependency of the media player.
- A stack buffer overflow in the upcoming RIST module, which concerns the 4.0 beta.
Of the remaining, 21 are medium security issues, and another 10 are low-severity flaws. The medium-severity vulnerabilities concern heap overflows, Null-dereference issues, and out-of-band reads. Kempf clarifies that while these flaws may not be exploitable, they can cause the media player to crash, so fixing them was important. The low-severity bugs have to do with integer overflow, division by zero, and no-impact out-of-band reads. These issues are also deemed non-exploitable, but they were fixed for the sake of keeping things clean and tidy.
The 3.0.7 is probably the last bug-fixing version before the next major release which will be the 4.0. What users should be expecting from the 4.0 version includes big interface improvements, significant optimizations to the video output architecture, revamped media library, and support for 3D and virtual reality. Another feature that will land on 4.0, and which concerns streaming users is pushing subtitles to Chromecast devices, something that people have been asking for quite a while now. Finally, VLC 4.0 will support Oculus, PSVR, and Vive, while there will also be AirPlay output, UPnP rendering, RIST (in and out), and a lot more.
For those of you who can’t wait for a little while longer to check out VLC 4.0, you may go ahead and download the beta at your own risk (of instability). For the rest, just grab version 3.0.7 and stay safe while consuming your favorite media. If you already have VLC installed in your system, merely launching it will bring up an update notice, so you don’t have to download it from the website.