Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Media Open Source Security Ubuntu Linux

VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player (portswigger.net) 80

New submitter Grindop53 shares a report: Widespread reports of a "critical security issue" that supposedly impacted users of VLC media player have been debunked as "completely bogus" by developers. Earlier this week, German computer emergency response team CERT-Bund -- part of the Federal Office for Information Security (BSI) -- pushed out an advisory warning network administrators and other users of a high-impact vulnerability in VLC. It seems that this advisory can be traced back to a ticket that was opened on VLC owner VideoLAN's public bug tracker more than four weeks ago. The alleged heap-based buffer overflow flaw was disclosed by a user named "topsec(zhangwy)," who stated that a malicious .mp4 file could be leveraged by an attacker to take control of VLC media player users' devices. The issue was flagged as high-risk on the CERT-Bund site, and the vulnerability was assigned a CVE entry (CVE-2019-13615).

However, according to VideoLAN president Jean-Baptiste Kempf, the exploit does not work on the latest VLC build. In fact, any potential issues relating to the vulnerability were patched more than a year ago. "There is no security issue in VLC," Kempf told The Daily Swig in a phone conversation this morning. "There is a security issue in a third-party library, and a fix was pushed [out] 18 months ago." When asked how or why this oversight generated so much attention, Kempf noted that the reporter of the supposed vulnerability did not approach VideoLAN through its security reporting email address. "The guy never contacted us," said Kempf, who remains a lead developer at the VLC project. "This is why you don't report security issues on a public bug tracker."
Kempf and his team were unable to replicate the issue in the latest version of VLC, leading many to believe that the bug reporter was working on a computer running an outdated version of Ubuntu. "If you report a security issue, at least update your Linux distribution," Kempf said.
This discussion has been archived. No new comments can be posted.

VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player

Comments Filter:
  • "If you report a security issue, at least update your Linux distribution," Kempf said.

    Will current LTS editions of Ubuntu and other popular distros actually have the most current version of VLC available in their package managers? In my previous experience with Ubuntu (many years ago) this wasn't always the case.

    • Re:Is Kempf right? (Score:4, Informative)

      by scdeimos ( 632778 ) on Wednesday July 24, 2019 @08:01PM (#58982436)

      After a little checking I suspect that Kempf is being disingenuous here.

      The bug ticket at https://trac.videolan.org/vlc/... [videolan.org] shows the bug in "VLC media player 4.0.0-dev Otto Chriek (revision 3426d7b)". I thought that was a little odd, version 4.0.0-dev, given that the official VLC download page, https://www.videolan.org/vlc/ [videolan.org], lists the current version as 3.0.7.1.

      So, I checked the videolan/vlc GitHub repo, https://github.com/videolan/vl... [github.com], and you can see that commit is from 19 June 2019.

      • by iive ( 721743 )

        As j-b has said in the bugreport, the bug is in external library "libebml".

        If you have an old version of the library installed on the system, any version of VLC that is linked to it may be affected.

        This is why j-b said that you should update your distribution. Assuming Ubuntu still does bugfix/security updates for that version.

        VLC own distributed binaries since 3.0.4 (including) should contain builds with the new library.

        Have in mind, the commit in question may trigger the bug, but the commit itself may not

    • by skogs ( 628589 )

      Some distribution's package repos are a dumpster fire when it comes to moderately current packages.
      This is why there is amazing confusion on these sorts of things.
      You want moderately current Wine, Nvidia, or even LibreOffice? You need a distro that doesn't freeze the most stupid little things in time for years on end.

      I like stable systems with packages that might be somewhat old and hopefully are compiled in a way to remove some unnecessary features that are potentially vulnerable. It is just that there i

      • Nothing else depends on... except users. I hate random breakage, paces like six months or two years are fine for feature upgrades unless I explicitly need the latest version for some reason. Now for exploits you canâ(TM)t wait six months, but most times you can backport a fix. But identifying the security related changes and supporting multiple branches is extra work, the kind of dull work people donâ(TM)t like to do. So upstream says itâ(TM)s fixed in the latest release just upgrade. Downstr

    • by adrn01 ( 103810 )
      The official way to upgrade VLC for Linux is to to an entire OS update, and hope that update includes a new enough VLC.
      The alternative is to download the SNAP, which sucks because there is NO option to adjust the UI size - good luck if you can't read tiny text on your nice big monitor. Of course, if you are really really ambitious, you could try to grab the source for all the libraries a full VLC compile requires, plus VLC itself, and hope that huge poorly documented pile of code actually compiles. You
    • Will current LTS editions of Ubuntu and other popular distros actually have the most current version of VLC available in their package managers?

      Yep just download the Snap. Otherwise no. Not LTS, not the normal version, no version of Ubuntu offers the current VLC version in the package manager.

      It is my standard go-to case when I here neckbeards complaining about Snap as being some kind of solution looking for a problem while yelling at the kids on their lawn.

  • by Anonymous Coward

    I looked into it a little more and there are like 6 conflicting reports about this bug. But one major problem is that a lot of the devs/testers are misunderstanding that this bug only occurs if VLC is set to loop mode in which case the erroneous input file will memory leak until using up all memory and crash the system. In that case, yes this actually is still a bug that was duplicable even 16 hours ago. A lot of the devs aren't testing it with that in mind and you can see a lot of miscommunication happenin

    • Also reporter in TFA seems to be lying:

      The alleged heap-based buffer overflow flaw was disclosed by a user named "topsec(zhangwy)," who stated that a malicious .mp4 file could be leveraged by an attacker to take control of VLC media player users' devices.

      There no mention of "attack" or "malicious" anywhere in that bug ticket, let alone from zhangwy. It's not mentioned in the NVD CVE either, a phrase like that possibly came from SecurityFocus or another security blogger.

      • I just figure it's implied that any buffer overflow will allow arbitrary execution of malicious code, unless there is some kind of sandbox or VM, etc.
    • Read on... (Score:4, Informative)

      by Ecuador ( 740021 ) on Thursday July 25, 2019 @03:26AM (#58983610) Homepage

      Read on on that thread. The submitter admits that it is a bug with an old version of libebml (the libebml author himself first notes this) - he cannot reproduce it after manually updating libebml and apologises.
      It seems the submitter tried to contact security@ first, and only opened the bug after there was no response. The bug went unnoticed and was not responded for 4 weeks until there was suddenly all this commotion.
      No idea how/why NVD picked it up with such a high score initially... Somebody jumped the gun...

  • About a week ago, the LinuxSecurity staff started tracking a security issue related to VLC, the popular open source media player. As the week went on, it wasn’t completely clear what was fact and what was fiction. I decided to find out. I reached out to Jean-Baptiste Kempf, and we had a really interesting conversation on this topic. Check out what I learned: https://linuxsecurity.com/feat... [linuxsecurity.com]

We all agree on the necessity of compromise. We just can't agree on when it's necessary to compromise. -- Larry Wall

Working...