New VLC packages fix security hole in subtitle renderer
There was a recent upheaval about hundreds of millions of computers being at risk of being taken over completely by remote hackers. Not a kernel bug this time, but a weakness in the way that media players deal with subtitle files during video playback.
In particular, the KODI (XBMC) mediaplayer and VLC player were mentioned in a blog post by CheckPoint Software Technologies. Luckily, the developers of these multimedia players were informed well in advance of the public disclosure, so both KODI and VLC have updated their code and made new releases which plug the security hole. As the CheckPoint blog post mentions, vlc-126.96.36.199 fixes this vulnerability.
I released 188.8.131.52 packages for VLC (Slackware 14.2 and -current) yesterday, and when I was about to write a blog post about this security issue, I discovered that there was a VLC release 2.2.6, fresh from the press. Therefore I built new packages, this time for Slackware 14.1 as well, and those were just uploaded to my repository.
Between my previous 2.2.4 packages and these new ones, almost 11 months passed… and I only skipped a single release (2.2.5). Like I have said in the past, development has slowed down because the team is not getting bigger but the VLC for Android is getting a lot of attention (and therefore resources). Not a problem in itself I think. I am still using VLC daily, to play audio and (less frequently) watch videos. The only thing I am waiting for (which should be in release 3.x) is proper detection and playback of UPnP media sources in the local network.
One thing to mention still: after the Fraunhofer patents on MP3 encoding expired last month, it is now perfectly legal to release software that is able to encode MP3 audio. The ffmpeg in Slackware-current, and my own ffmpeg packages, were already updated and include the LAME library. My new VLC packages are now all capable of MP3 audio encoding as well.
The AAC audio format is still patented and therefore, the AAC encoding capability is only available in my ‘restricted‘ packages.
Where to find the new VLC packages:
- http://slackware.com/~alien/slackbuilds/vlc/ (only containing the versions that do not violate US patents).
This repository is mirrored at http://bear.alienbase.nl/mirrors/people/alien/slackbuilds/vlc/ .
If you want to play encrypted DVD’s please install the libdvdccss package separately.
(alternative repository containing packages capable of AAC encoding and encrypted DVD playback).
Rsync access is offered by the mirror server: rsync://bear.alienbase.nl/mirrors/people/alien/restricted_slackbuilds/vlc/ .
For BluRay support, read a previous article for hints about the aacs keys that you’ll need.
Note that I only built packages for Slackware 14.1, 14.2 & -current. I stopped creating packages for Slackware 14.0 and earlier because of the effort it takes to build 4 packages for every Slackware release.
My usual warning about patents: versions that can not only DEcode but also ENcode AAC audio can be found in my alternative repository where I keep the packages containing code that might violate stupid US software patents.