Main menu:

Sponsoring

Please consider a small donation:

 

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 299 other subscribers

My Favourites

Slackware

Calendar

June 2017
M T W T F S S
« May    
 1234
567891011
12131415161718
19202122232425
2627282930  

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

RSS Slackware64-current

Meta

New VLC packages fix security hole in subtitle renderer

largeVLCThere was a recent upheaval about hundreds of millions of computers being at risk of being taken over completely by remote hackers. Not a kernel bug this time, but a weakness in the way that media players deal with subtitle files during video playback.
In particular, the KODI (XBMC) mediaplayer and VLC player were mentioned in a blog post by CheckPoint Software Technologies. Luckily, the developers of these multimedia players were informed well in advance of the public disclosure, so both KODI and VLC have updated their code and made new releases which plug the security hole. As the CheckPoint blog post mentions, vlc-2.2.5.1 fixes this vulnerability.

I released 2.2.5.1 packages for VLC (Slackware 14.2 and -current) yesterday, and when I was about to write a blog post about this security issue, I discovered that there was a VLC release 2.2.6, fresh from the press. Therefore I built new packages,  this time for Slackware 14.1 as well, and those were just uploaded to my repository.
Between my previous 2.2.4 packages and these new ones, almost 11 months passed… and I only skipped a single release (2.2.5). Like I have said in the past, development has slowed down because the team is not getting bigger but the VLC for Android is getting a lot of attention (and therefore resources). Not a problem in itself I think. I am still using VLC daily, to play audio and (less frequently) watch videos. The only thing I am waiting for (which should be in release 3.x) is proper detection and playback of UPnP media sources in the local network.

One thing to mention still: after the Fraunhofer patents on MP3 encoding expired last month, it is now perfectly legal to release software that is able to encode MP3 audio. The ffmpeg in Slackware-current, and my own ffmpeg packages, were already updated and include the LAME library. My new VLC packages are now all capable of MP3 audio encoding as well.
The AAC audio format is still patented and therefore, the AAC encoding capability is only available in my ‘restricted‘ packages.

Where to find the new VLC packages:

Rsync access is offered by the mirror server: rsync://bear.alienbase.nl/mirrors/people/alien/restricted_slackbuilds/vlc/ .

For BluRay support, read a previous article for hints about the aacs keys that you’ll need.

Note that I only built packages for Slackware 14.1, 14.2 & -current. I stopped creating packages for Slackware 14.0 and earlier because of the effort it takes to build 4 packages for every Slackware release.

My usual warning about patents: versions that can not only DEcode but also ENcode AAC audio can be found in my alternative repository where I keep the packages containing code that might violate stupid US software patents.

 

Comments

Comment from Paulo
Posted: May 26, 2017 at 16:31

Hi AlienBob, thanks for the package. VLC sometimes has quirks while playing video so I skip some releases. This one is working perfect. Thank you.

Comment from travis82
Posted: June 4, 2017 at 11:10

Many thanks Eric. Would you please add rstudio-desktop to your great repository? I have hard time to build and install Jdk on my system.

Comment from alienbob
Posted: June 4, 2017 at 13:46

travis82 you can install my binary package for OpenJDK and then you can continue building rstudio-desktop. I have no interest in the latter, so it is not likely that I would add it to my repository.

Comment from travis82
Posted: June 8, 2017 at 12:37

Ok. Thanks for the instruction.

Write a comment