New VLC packages fix security hole in subtitle renderer

largeVLCThere was a recent upheaval about hundreds of millions of computers being at risk of being taken over completely by remote hackers. Not a kernel bug this time, but a weakness in the way that media players deal with subtitle files during video playback.
In particular, the KODI (XBMC) mediaplayer and VLC player were mentioned in a blog post by CheckPoint Software Technologies. Luckily, the developers of these multimedia players were informed well in advance of the public disclosure, so both KODI and VLC have updated their code and made new releases which plug the security hole. As the CheckPoint blog post mentions, vlc-2.2.5.1 fixes this vulnerability.

I released 2.2.5.1 packages for VLC (Slackware 14.2 and -current) yesterday, and when I was about to write a blog post about this security issue, I discovered that there was a VLC release 2.2.6, fresh from the press. Therefore I built new packages,  this time for Slackware 14.1 as well, and those were just uploaded to my repository.
Between my previous 2.2.4 packages and these new ones, almost 11 months passed… and I only skipped a single release (2.2.5). Like I have said in the past, development has slowed down because the team is not getting bigger but the VLC for Android is getting a lot of attention (and therefore resources). Not a problem in itself I think. I am still using VLC daily, to play audio and (less frequently) watch videos. The only thing I am waiting for (which should be in release 3.x) is proper detection and playback of UPnP media sources in the local network.

One thing to mention still: after the Fraunhofer patents on MP3 encoding expired last month, it is now perfectly legal to release software that is able to encode MP3 audio. The ffmpeg in Slackware-current, and my own ffmpeg packages, were already updated and include the LAME library. My new VLC packages are now all capable of MP3 audio encoding as well.
The AAC audio format is still patented and therefore, the AAC encoding capability is only available in my ‘restricted‘ packages.

Where to find the new VLC packages:

Rsync access is offered by the mirror server: rsync://bear.alienbase.nl/mirrors/people/alien/restricted_slackbuilds/vlc/ .

For BluRay support, read a previous article for hints about the aacs keys that you’ll need.

Note that I only built packages for Slackware 14.1, 14.2 & -current. I stopped creating packages for Slackware 14.0 and earlier because of the effort it takes to build 4 packages for every Slackware release.

My usual warning about patents: versions that can not only DEcode but also ENcode AAC audio can be found in my alternative repository where I keep the packages containing code that might violate stupid US software patents.

 

4 thoughts on “New VLC packages fix security hole in subtitle renderer

  1. Hi AlienBob, thanks for the package. VLC sometimes has quirks while playing video so I skip some releases. This one is working perfect. Thank you.


  2. Many thanks Eric. Would you please add rstudio-desktop to your great repository? I have hard time to build and install Jdk on my system.


  3. travis82 you can install my binary package for OpenJDK and then you can continue building rstudio-desktop. I have no interest in the latter, so it is not likely that I would add it to my repository.



Leave a Reply to Paulo Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.