Update 1.1.6, released just last week, fixed a critical vulnerability in the VideoLAN project's VLC Media Player. Now the project has reported a new vulnerability which can be exploited using specially crafted MKV (Matroska Video and WebM) films to inject malicious code onto a system and execute that code with the user's privileges. All versions up to and including 1.1.6 are affected.
The root of the problem lies with insufficient input validation in the MKV demuxer plugin (libmkv_plugin.*). The update consists of swapping a single line within a macro. The change has already found its way into the Git repository, but currently no further. An official update, version 1.1.7, is expected to be released shortly.
Source
The root of the problem lies with insufficient input validation in the MKV demuxer plugin (libmkv_plugin.*). The update consists of swapping a single line within a macro. The change has already found its way into the Git repository, but currently no further. An official update, version 1.1.7, is expected to be released shortly.
Source
