The creators of the popular multi-platform VLC multimedia player have recently released a new version of VLC 3.0.8, which fixes more than a dozen security vulnerabilities as well as several other issues.
A detailed description of the individual bugs and their effects is not available, according to the creators’ announcements, the individual bugs are likely to lead only to the player crashing. However, it cannot be ruled out that a combination of several may also allow the attacker of the chosen code to run after opening a fake media file and thus potentially gaining control of the computer.
Errors can be found, for example, in MKV, MP4, AVI, dvdnav, ASF, CAF and OGG demuxers, and FAAD and avcodec decoders.
A number of bugs in version 3.0.8 were fixed after a large number of bugs were also fixed in June version 3.0.7. In this case, the corrected errors were reported through the FOSSA project with financial support from the European Commission. Whether some of the currently fixed bugs are also the result of this project is not clear.
Concerning the security of VLC, there was also a curious incident in July in this area. However, various media organizations working with vulnerability information have also come up with information on critical and especially persistent and long-term vulnerabilities in VLC, including the latest version for Windows, but the information was not correct.
The current version of VLC can be downloaded from VLC media player page.