FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

vlc -- Multiple vulnerabilities fixed in VLC media player

Affected packages
vlc < 3.0.10,4


VuXML ID 4a10902f-8a48-11ea-8668-e0d55e2a8bf9
Discovery 2020-04-01
Entry 2020-04-29

VideoLAN reports:


A remote user could:


If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.

We have not seen exploits performing code execution through these vulnerabilities

CVE-2019-19721 affects VLC 3.0.8 and earlier, and only reads 1 byte out of bound