==========================================================================
Ubuntu Security Notice USN-6180-1
June 20, 2023

vlc vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in VLC media player.

Software Description:
- vlc: multimedia player and streamer

Details:

It was discovered that VLC could be made to read out of bounds when
decoding image files. If a user were tricked into opening a crafted image
file, a remote attacker could possibly use this issue to cause VLC to
crash, leading to a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-19721)

It was discovered that VLC could be made to write out of bounds when
processing H.264 video files. If a user were tricked into opening a
crafted H.264 video file, a remote attacker could possibly use this issue
to cause VLC to crash, leading to a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-13428)

It was discovered that VLC could be made to read out of bounds when
processing AVI video files. If a user were tricked into opening a crafted
AVI video file, a remote attacker could possibly use this issue to cause
VLC to crash, leading to a denial of service. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-25801,
CVE-2021-25802, CVE-2021-25803, CVE-2021-25804)

It was discovered that the VNC module of VLC contained an arithmetic
overflow. If a user were tricked into opening a crafted playlist or
connecting to a rouge VNC server, a remote attacker could possibly use
this issue to cause VLC to crash, leading to a denial of service, or
possibly execute arbitrary code. (CVE-2022-41325)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
   vlc                             3.0.17.4-5ubuntu0.1
   vlc-plugin-access-extra         3.0.17.4-5ubuntu0.1

Ubuntu 22.04 LTS (Available with Ubuntu Pro):
   vlc                             3.0.16-1ubuntu0.1~esm1
   vlc-plugin-access-extra         3.0.16-1ubuntu0.1~esm1

Ubuntu 20.04 LTS (Available with Ubuntu Pro):
   vlc                             3.0.9.2-1ubuntu0.1~esm1
   vlc-plugin-access-extra         3.0.9.2-1ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
   vlc                             3.0.8-0ubuntu18.04.1+esm1
   vlc-plugin-access-extra         3.0.8-0ubuntu18.04.1+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
   vlc                             2.2.2-5ubuntu0.16.04.5+esm2

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-6180-1
   CVE-2019-19721, CVE-2020-13428, CVE-2021-25801, CVE-2021-25802,
   CVE-2021-25803, CVE-2021-25804, CVE-2022-41325

Package Information:
   https://launchpad.net/ubuntu/+source/vlc/3.0.17.4-5ubuntu0.1