VideoLAN Security Bulletin VLC 3.0.19 - VideoLAN
VideoLAN, a project and a non-profit organization.

Security Bulletin VLC 3.0.19

Summary           : Two vulnerabilities fixed in VLC media player
Date              : November 2023
Affected versions : VLC media player 3.0.18 and earlier
ID                : VideoLAN-SB-VLC-3019

Details

Fix potential arbitrary code execution with system priviledges on uninstallation on Windows (!4292, CVE-2023-46814)

Impact

If successful, a malicious third party could trigger an execution of an arbitrary binary on uninstallation of VLC with system priviledges.

We have not seen exploits performing code execution through this vulnerability.


Threat mitigation

Exploitation of this issue requires the user to explicitly uninstall VLC using the provided uninstaller.

Workarounds

Keep VLC installed until updated to version 3.0.19 or later.

Solution

VLC media player 3.0.19 addresses the issue.

Credits

The NSIS uninstaller vulnerability was reported by the Lockheed Martin Red Team (!4292, CVE-2023-46814).

Additional notes

VLC 3.0.19 also bumps some dependencies, notably zlib and vpx, following the publication of CVE-2022-37434 and CVE-2023-5217.

References

The VideoLAN project
http://www.videolan.org/
VLC official GIT repository
http://git.videolan.org/?p=vlc.git