I wanted to alert readers to the VLC Player 3.0.20 update, which fixes a potential security issue. VLC Player may not be accurately checking for and alerting users to these new updates, so download it manually if needed and verify you are running the current version (3.0.20).
For some reason the VideoLAN pages have not been updated since a May posting about iOS/iPadOS. Prior to that, was the November 2022 announcement for VLC Player 3.0.18. Long dry spell.
Of particular importance, VLC 3.0.19 (released early just 3 weeks prior) updated the libvpx library (aka. WebM) which was part of the recent Critical fixes made to every web browser, some OS’ and numerous products.
Google’s Threat Analysis Group, led by Clément Lecigne, has discovered a high-severity heap buffer overflow vulnerability in the libvpx library, specifically in its VP8 encoding component. The issue is registered as CVE-2023-5217. This vulnerability allows for arbitrary code execution, enabling an attacker to run malicious software on a targeted system.
The exploit for this vulnerability is known to exist in the wild, raising immediate concerns. Affected by this issue are various applications and services that employ the libvpx library for VP8 and VP9 video encoding and decoding.
This includes WebRTC platforms, streaming services using VP8 or VP9 formats, and even mobile apps. Multimedia applications and services relying on FFmpeg, which uses libvpx, are also at risk.
VLC informed me some time ago that they purposely delay allowing updates from the current app until they are comfortable that there are no issues with th new version.
Specifically with v3.0.19 they informed me that there was an issue with the Windows version, so they never allowed self-update of that version for all platforms. I had no problem self-updating to v3.0.20 the day it came out.
VLC doesn’t appear to test every feature for every release. Maybe this just isn’t practical, due to the scope of what it is designed to stream, but this has bitten me in the recent past.
As a part of my work, I sometimes need to stream video (H.264 wrapped in RTP transmitted over UDP) from an embedded device I’m working on to an attached Linux PC. When I recently upgraded this PC from Debian 10 (last updated September 2022, under long-term-support until June 2024) to Debian 11 (last updated October 7), the VLC package upgraded from version 3.0.17.4 to 3.0.18.0, and the result couldn’t stream from my device.
I ended up removing the Debian package and installing the corresponding Snap package from VLC to get the latest (3.0.19.0), which was able to stream my content.
So I think it is a good thing that they don’t auto-update your installation. The last thing you want is for an automatic update to break your usage. If you do it manually, then you should be able to schedule your update for a timer where you can try a different version, should the automatic update break something.
(I see that Debian 11 has recently upgraded its VLC from 3.0.18 to 3.0.20.0, so I may try again with the Debian-distributed version, but I’ll wait until I have time to test it, and I won’t remove my Snap-installed version until I know the Debian-provided version is good.)