This is latest security advisory from VLC
Security Advisory 1901
Summary : Read buffer overflow & double free Date
: June 2019 Affected versions : VLC media player 3.0.6 and earlier ID : VideoLAN-SA-1901 CVE reference : CVE-2019-5439, CVE-2019-12874Details
A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. Threat mitigation
Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.
ASLR and DEP help reduce exposure, but may be bypassed. Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Solution
VLC media player 3.0.7 addresses the issue.
According to them, installing VLC media player 3.0.7 will fix the issue.
However, the one available in Ubuntu is the old version 3.0.4
user@linux:~$ apt show vlc
Package: vlc
Version: 3.0.4-1ubuntu0.2
Priority: optional
Section: universe/graphics
Origin: Ubuntu
Isn't this considered as high security risk?
To install the vlc snap package version 3.0.7 in all currently supported versions of Ubuntu open the terminal and type:
VLC is the VideoLAN project's media player. Completely open source and privacy-friendly, it plays every multimedia file and streams. The vlc snap package will be updated automatically in the background when updates are available.
The Linux ecosystem has several methods for opting out of security risks like this one. If there isn't an updated snap package available sometimes it is possible to install an updated version of the same package in a virtual environment, for example with python3-kivy which has a bug in 18.04 using this workaround. Another possible safe alternative is to search for an updated flatpak package of the same application and install the flatpak package in your own home directory as a normal user without root privileges.