MKVToolNix v28.2.0 released

Hey,

unfortunately I have to release a third time within a week: this time due to a use-after-free bug in all programs that make up the MKVToolNix package. This type of vulnerability allows arbitrary code execution using specially crafted Matroska files. It was introduced in v5.5.0 and affects all following releases up to and including the latest one, v28.1.0. Hence today’s bug fix release.

You can download the source code or one of the binaries. The Windows binaries as well as the Linux AppImage are available already. The macOS binaries and the other Linux binaries are still being built and will be available of the course of the next couple of hours.

Here are the NEWS since the previous release:

Bug fixes

  • mkvmerge, mkvinfo, mkvextract, mkvpropedit, MKVToolNix GUI’s info tool &
    chapter editor: fixed a case of memory being accessed after it had been
    freed earlier. This can be triggered by specially crafted Matroska files and
    lead to arbitrary code execution. The vulnerability was reported as Cisco
    TALOS 2018-0694 on 2018-10-25.

Have fun :)

7 thoughts on “MKVToolNix v28.2.0 released

  1. David

    Hi please forgive me if I appear ignorant.
    Are the hashes correct on the fosshub download site under ‘Signature’ for this release for macOS?.
    I checked in the terminal on the app in the image and got a whole nother result.
    Won’t execute the app until the hash agrees.
    Thank you so much.

    Reply
    1. mosu Post author

      I’ve just confirmed that both the hashes as well as the .dmg I just downloaded fresh from fosshub.com are correct. They match the file that I generated on my machine during compilation. If the file you downloaded is different, then I have no idea why (A/V software? Bad proxy in the middle?).

      Reply
  2. David

    Thank you for follow up.
    My bad.
    Indeed checksums correlate.
    Was using incorrect command on the image ie: codesign instead of openssl
    Should have known better.
    BTW very nice set of tools, wish I’d found it years ago.
    Donation coming your way!
    Keep up the good work.

    Reply
  3. Gringott

    I have checked fosshub from your link several times and only version 27.0.0 is there and shows the last update as 3 October 2018. The link on the checksum page for the latest version takes you to the 27 version.

    Perhaps something went wrong???

    Thanks for your great work.

    Reply
    1. mosu Post author

      I can see the 28.2.0 release on FossHub just fine. However, you’re not the first person to experience this; someone over on Reddit had the same issue. Please try clearing your browser cache, or give a different browser a try.

      I’ve also contacted the FossHub stuff and asked them to look into it from their end.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *