The main improvements in this release include a bugging fix while looking at low frame rate videos, better adaptive support for streaming, fixed WebVTT subtitles, and an improved audio performance in macOS and iOS. This release also addresses 13 vulnerabilities, including many buffer overflows, zero-by-zero dereferences, and zero vulnerabilities. Many of these, if not all, vulnerabilities have been directly found by VLC developers. According to VideoLan’s safety newsletter, a remote user creating a specially designed file and tricking a user to open it could exploit these vulnerabilities. This would cause a crash or execute code in the user logged in safety context. A malicious third party may successfully trigger either a VLC crash or the execution of arbitration code with the privileges of the target user. Whilst these problems themselves are most likely to crash a player, we can not rule out the possibility to combine them to leak user information or execute code remotely. ASLR and DEP assist to decrease, but can be bypassed, the probability of code implementation. Whereas the CVE CVE-2019-13602 & CVE-2019-13962 mention a base rating of 8.8 and 9.8, respectively, the VideoLAN team thinks that this seriousness would be extremely exaggerated; in our view a basic rating of 4.3 (AV: N / AC: L / PR: N / UI: R / S: U / C: N / I: N / A: L) would be more sensible. Because the security vulnerabilities in this release have been fixed, it is strongly noted that all users download and install version 3.0.8. CVE-2019-13962 only impacts VLC 3.0.2 through 3.0.7.1. You can find the complete change log for version 3.0.8 below:
