[Matroska-users] MKVToolNix v28.2.0 released

Moritz Bunkus moritz at bunkus.org
Thu Oct 25 23:29:14 CEST 2018


unfortunately I have to release a third time within a week: this time due
to a use-after-free bug in all programs that make up the MKVToolNix
package. This type of vulnerability allows arbitrary code execution using
specially crafted Matroska files. It was introduced in v5.5.0 and affects
all following releases up to and including the latest one, v28.1.0. Hence
today's bug fix release.

Here are the usual links:

…to the source code: https://mkvtoolnix.download/source.html
…to the binaries: https://mkvtoolnix.download/downloads.html

The Windows and macOS binaries as well as the Linux AppImage are
available already. The other Linux binaries are still being built and
will be available of the course of the next couple of hours.

Here are the NEWS since the previous release:

# Version 28.2.0 "The Awakening" 2018-10-25

## Bug fixes

* mkvmerge, mkvinfo, mkvextract, mkvpropedit, MKVToolNix GUI's info tool &
  chapter editor: fixed a case of memory being accessed after it had been
  freed earlier. This can be triggered by specially crafted Matroska files and
  lead to arbitrary code execution. The vulnerability was reported as Cisco
  TALOS 2018-0694 on 2018-10-25.

Have fun :)


More information about the Matroska-users mailing list