News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • VLC Media Player

    Posted on Great Lake Bunyip Comment on the AskWoody Lounge

    Tagged: 

    This topic contains 15 replies, has 9 voices, and was last updated by  anonymous 3 weeks, 2 days ago.

    • Author
      Posts
    • #1879339 Reply

      Great Lake Bunyip
      AskWoody Plus

      A serious Vulnerability has been found in the current version of the VLC media player. It can allow an attacker to remotely view and alter data, as well as execute code, on affected systems. VideoLan is working on a fix to be incorporated into the next version of VLC, but there’s no ETA.

      https://www.tweakguides.com/

      1 user thanked author for this post.
    • #1879382 Reply

      mn–
      AskWoody Lounger

      … though this is still less of a risk than using earlier 3.x series releases of VLC, apparently.

      Bother, VLC has long been one of the more reliable pieces of software but…

      Also not clear if this affects all platform versions of VLC. Notably VLC for Android or iOS isn’t mentioned in either https://www.cert-bund.de/advisoryshort/CB-K19-0634 or https://nvd.nist.gov/vuln/detail/CVE-2019-13615

      1 user thanked author for this post.
    • #1883159 Reply

      Kirsty
      Da Boss

      No, You Don’t Need to Uninstall VLC
      By Chris Hoffman | July 23, 2019

       
      “The sky is falling; uninstall VLC right now!” That’s the advice some websites are providing. But the purported VLC flaw is overblown—and, according to VLC’s developers, may not even be a real risk.

      At the end of the day, it’s probably a good idea to stay away from downloaded MKV files until VLC patches this flaw. But that’s all you would really need to do, and even that’s being kind of paranoid.

      As VLC’s developers explain on the VideoLAN bug tracker:
      “Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf

      “If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.” -Francois Cartegnie

      “This does not crash a normal release of VLC 3.0.7.1” -Jean-Baptiste Kempf

       
      Read the full article here

      5 users thanked author for this post.
      • #1883428 Reply

        mn–
        AskWoody Lounger

        “Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf

        Though if it were a real threat, crashing might well be the better option, as that’d mean that the hole would then close at that time for that instance. Many a privilege escalation and remote code execution is stopped by triggering a crash (possibly limiting the problem to a denial of service).

        Now, it could well be that the bug is real but not in VLC, or it could be something that only happens with specific compiler and library versions. From the data over at https://trac.videolan.org/vlc/ticket/22474 it’s apparent that there’s a class template allocator involved, which means it could be anywhere from the C++ standard and class library to compiler version and optimizer switches, to other support libraries and since it’s multithreaded AND the relevant parts are split between two threads, even timing might be involved, so running kernel version…

        Seems that the bug report had gcc/g++ 7.4 and glibc 2.27 … so yeah, Ubuntu 18.04 with updates (had gcc 7.3 originally, 7.4 is from updates).

        VLC developers noted that the problem wasn’t reproducible in the win64 version… well right, certainly would have to use different architecture-specific parts in the specifically crafted malicious file even if it was a VLC-only problem. Possibly parts specific to the VLC, standard library and compiler versions, and thread timing not being ruled out as a factor just yet, might or might not also have to bring running kernel version into it.

        This doesn’t mean that it’s safe, though. Means that *I* at least don’t know, and back when I was doing support for application development, these were always a huge bother to chase down… at one point we linked parts of our own application to one patch version of the standard library and other parts to another patch version, to dodge two different bugs in the compiler and libraries… fortunately that got resolved before public release though. (Was on neither Linux nor Windows… no, not Mac either)

        1 user thanked author for this post.
    • #1883805 Reply

      woody
      Da Boss

      Another summary, from Martin Brinkmann.

      Looks like it’s a tempest in a teapot…..

      • #1883969 Reply

        mn–
        AskWoody Lounger

        Well it does seem to be a potential vulnerability in Ubuntu 18.04 anyway.

        And, the issue does seem to be in the MKV container processing indeed – latest information from VLC developers says it’s in Matroska’s libebml library, where it was fixed in version 1.3.6 which came out in April 2018… too late to make it into Ubuntu 18.04, at least initially.

        (The sample file is named .mp4 but is in fact a MKV container containing a mp4-format video… and at least VLC handles it as MKV automatically, other players might too.)

        So, hopefully Ubuntu 18.04 LTS gets a fixed libebml…

        In short: As of right now, if you’re on Ubuntu 18.04 or a derivative, snap-packaged VLC 3.0.7 is safe from this as the snap carries a fixed libebml, but other media players may not be.

        Official binary distribution of VLC 3.0.2 and older for Windows may be vulnerable to this, 3.0.3 and newer are safe.

        • This reply was modified 3 weeks, 5 days ago by  mn--.
        • This reply was modified 3 weeks, 5 days ago by  mn--.
        • This reply was modified 3 weeks, 5 days ago by  mn--. Reason: Clarified... grammar
      • #1885261 Reply

        Kirsty
        Da Boss

        From @gborn, on borncity.com, summarises VLC’s response:

        The problem is a third-party library libebml that was shipped with older versions of Ubuntu, such as 18.04. There the bug was also reported to the VideoLAN project – which was the wrong addressee. In VLC Player V3.0.3 and higher the correct version of the library is included and everything is fine.

        The response in question from VLC:

        2 users thanked author for this post.
        • #1885377 Reply

          Ascaris
          AskWoody_MVP

          18.04 is the current LTS version of Ubuntu, and is the version upon which the ever-popular and current Mint 19.x is based (as well as other Ubuntu derivatives, like the one I use, KDE Neon).  I wouldn’t really characterize it as “older.”

           

          Group "L" (KDE Neon User Edition 5.16.4).

          • #1886034 Reply

            anonymous

            If the libebml library in question needs updating for older Ubuntu based versions perhaps Canonical will do it for the sake of closing a hole. The known fixed library version mentioned in the VideoLAN Twitter account is present in code named The Disco Dingo Ubuntu distribution.

    • #1885447 Reply

      mn–
      AskWoody Lounger

      Yes, this is exactly the kind of thing I’d expect security fixes for in a LTS version … hm, as of now seems that Ubuntu doesn’t have an official bug report of this yet…? Did I have an account in there again… [goes digging in password repository]

    • #1887721 Reply

      mn–
      AskWoody Lounger

      From https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13615.html :

      Notes
      mdeslaur> upstream ticket says this is actually an issue in libebml that
      mdeslaur> was fixed in 1.3.6.
      mdeslaur>
      mdeslaur> marking priority as “low” since a heap-based buffer over-read
      mdeslaur> will likely just result in a crash, not in code execution

      Package
      Source: libebml (LP Ubuntu Debian)
      Upstream: released (1.3.6)
      Ubuntu 12.04 ESM (Precise Pangolin): DNE
      Ubuntu 14.04 ESM (Trusty Tahr): DNE
      Ubuntu 16.04 LTS (Xenial Xerus): needed
      Ubuntu 18.04 LTS (Bionic Beaver): needed
      Ubuntu 19.04 (Disco Dingo): not-affected (1.3.6-2)
      Ubuntu 19.10 (Eoan): not-affected (1.3.9-2)

    • #1888572 Reply

      Geo
      AskWoody Plus

      This would be a good opportunity for MS to bring back they’re  media player once again.

    • #1888603 Reply

      jabeattyauditor
      AskWoody Lounger

      This would be a good opportunity for MS to bring back they’re  media player once again.

      The version of VLC compiled for Windows isn’t/wasn’t vulnerable.

    • #1889513 Reply

      Great Lake Bunyip
      AskWoody Plus

      VLC Security Vulnerability Update
      25 July 2019
      https://www.tweakguides.com/

      VideoLAN, developer of the VLC media player, has responded to the earlier disclosure of an alleged critical security vulnerability in the current version of their player: they state that VLC is not vulnerable; the exploit was fixed as of VLC 3.0.3. Furthermore, they’re angry that security firms and tech outlets repeated these false claims without asking them first….

      Update: As a small gesture to help VideoLAN overcome the stigma of this recent security mix-up, I’ve decided to do a one-page VLC Tweak Guide this weekend. VLC has been my player of choice for watching movies on my PC for several years, but this year I made it my all-round PC media player. So I figure a guide that provides brief, clear details on how to customize VLC’s key features and appearance to suit your needs may persuade some people to give VLC another try.

      https://www.tweakguides.com/

      EDIT Please respect sites’ copyright, as required in our Lounge Rules

    • #1891037 Reply

      anonymous

      ? says:

      ‘buntu libEBML patch (7/25/2019):

      https://usn.ubuntu.com/4073-1/

      VLC patch:

      https://usn.ubuntu.com/4074-1/

      tempest subsiding…

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: VLC Media Player

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.