News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • VLC Media Player

    Posted on Great Lake Bunyip Comment on the AskWoody Lounge


    Viewing 9 reply threads
    • Author
      • #1879339
        Great Lake Bunyip
        AskWoody Lounger

        A serious Vulnerability has been found in the current version of the VLC media player. It can allow an attacker to remotely view and alter data, as well as execute code, on affected systems. VideoLan is working on a fix to be incorporated into the next version of VLC, but there’s no ETA.

        1 user thanked author for this post.
      • #1879382
        AskWoody Lounger

        … though this is still less of a risk than using earlier 3.x series releases of VLC, apparently.

        Bother, VLC has long been one of the more reliable pieces of software but…

        Also not clear if this affects all platform versions of VLC. Notably VLC for Android or iOS isn’t mentioned in either or

        1 user thanked author for this post.
      • #1883159

        No, You Don’t Need to Uninstall VLC
        By Chris Hoffman | July 23, 2019

        “The sky is falling; uninstall VLC right now!” That’s the advice some websites are providing. But the purported VLC flaw is overblown—and, according to VLC’s developers, may not even be a real risk.

        At the end of the day, it’s probably a good idea to stay away from downloaded MKV files until VLC patches this flaw. But that’s all you would really need to do, and even that’s being kind of paranoid.

        As VLC’s developers explain on the VideoLAN bug tracker:
        “Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf

        “If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.” -Francois Cartegnie

        “This does not crash a normal release of VLC” -Jean-Baptiste Kempf

        Read the full article here

        5 users thanked author for this post.
        • #1883428
          AskWoody Lounger

          “Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf

          Though if it were a real threat, crashing might well be the better option, as that’d mean that the hole would then close at that time for that instance. Many a privilege escalation and remote code execution is stopped by triggering a crash (possibly limiting the problem to a denial of service).

          Now, it could well be that the bug is real but not in VLC, or it could be something that only happens with specific compiler and library versions. From the data over at it’s apparent that there’s a class template allocator involved, which means it could be anywhere from the C++ standard and class library to compiler version and optimizer switches, to other support libraries and since it’s multithreaded AND the relevant parts are split between two threads, even timing might be involved, so running kernel version…

          Seems that the bug report had gcc/g++ 7.4 and glibc 2.27 … so yeah, Ubuntu 18.04 with updates (had gcc 7.3 originally, 7.4 is from updates).

          VLC developers noted that the problem wasn’t reproducible in the win64 version… well right, certainly would have to use different architecture-specific parts in the specifically crafted malicious file even if it was a VLC-only problem. Possibly parts specific to the VLC, standard library and compiler versions, and thread timing not being ruled out as a factor just yet, might or might not also have to bring running kernel version into it.

          This doesn’t mean that it’s safe, though. Means that *I* at least don’t know, and back when I was doing support for application development, these were always a huge bother to chase down… at one point we linked parts of our own application to one patch version of the standard library and other parts to another patch version, to dodge two different bugs in the compiler and libraries… fortunately that got resolved before public release though. (Was on neither Linux nor Windows… no, not Mac either)

          1 user thanked author for this post.
      • #1883805

        Another summary, from Martin Brinkmann.

        Looks like it’s a tempest in a teapot…..

        • #1883969
          AskWoody Lounger

          Well it does seem to be a potential vulnerability in Ubuntu 18.04 anyway.

          And, the issue does seem to be in the MKV container processing indeed – latest information from VLC developers says it’s in Matroska’s libebml library, where it was fixed in version 1.3.6 which came out in April 2018… too late to make it into Ubuntu 18.04, at least initially.

          (The sample file is named .mp4 but is in fact a MKV container containing a mp4-format video… and at least VLC handles it as MKV automatically, other players might too.)

          So, hopefully Ubuntu 18.04 LTS gets a fixed libebml…

          In short: As of right now, if you’re on Ubuntu 18.04 or a derivative, snap-packaged VLC 3.0.7 is safe from this as the snap carries a fixed libebml, but other media players may not be.

          Official binary distribution of VLC 3.0.2 and older for Windows may be vulnerable to this, 3.0.3 and newer are safe.

          • This reply was modified 1 year, 6 months ago by mn--.
          • This reply was modified 1 year, 6 months ago by mn--.
          • This reply was modified 1 year, 6 months ago by mn--. Reason: Clarified... grammar
        • #1885261

          From @gborn, on, summarises VLC’s response:

          The problem is a third-party library libebml that was shipped with older versions of Ubuntu, such as 18.04. There the bug was also reported to the VideoLAN project – which was the wrong addressee. In VLC Player V3.0.3 and higher the correct version of the library is included and everything is fine.

          The response in question from VLC:

          2 users thanked author for this post.
          • #1885377

            18.04 is the current LTS version of Ubuntu, and is the version upon which the ever-popular and current Mint 19.x is based (as well as other Ubuntu derivatives, like the one I use, KDE Neon).  I wouldn’t really characterize it as “older.”


            Group "L" (KDE Neon Linux 5.20.5 User Edition)

            • #1886034

              If the libebml library in question needs updating for older Ubuntu based versions perhaps Canonical will do it for the sake of closing a hole. The known fixed library version mentioned in the VideoLAN Twitter account is present in code named The Disco Dingo Ubuntu distribution.

      • #1885447
        AskWoody Lounger

        Yes, this is exactly the kind of thing I’d expect security fixes for in a LTS version … hm, as of now seems that Ubuntu doesn’t have an official bug report of this yet…? Did I have an account in there again… [goes digging in password repository]

      • #1887721
        AskWoody Lounger

        From :

        mdeslaur> upstream ticket says this is actually an issue in libebml that
        mdeslaur> was fixed in 1.3.6.
        mdeslaur> marking priority as “low” since a heap-based buffer over-read
        mdeslaur> will likely just result in a crash, not in code execution

        Source: libebml (LP Ubuntu Debian)
        Upstream: released (1.3.6)
        Ubuntu 12.04 ESM (Precise Pangolin): DNE
        Ubuntu 14.04 ESM (Trusty Tahr): DNE
        Ubuntu 16.04 LTS (Xenial Xerus): needed
        Ubuntu 18.04 LTS (Bionic Beaver): needed
        Ubuntu 19.04 (Disco Dingo): not-affected (1.3.6-2)
        Ubuntu 19.10 (Eoan): not-affected (1.3.9-2)

      • #1888572
        AskWoody Plus

        This would be a good opportunity for MS to bring back they’re  media player once again.

      • #1888603
        AskWoody Lounger

        This would be a good opportunity for MS to bring back they’re  media player once again.

        The version of VLC compiled for Windows isn’t/wasn’t vulnerable.

      • #1889513
        Great Lake Bunyip
        AskWoody Lounger

        VLC Security Vulnerability Update
        25 July 2019

        VideoLAN, developer of the VLC media player, has responded to the earlier disclosure of an alleged critical security vulnerability in the current version of their player: they state that VLC is not vulnerable; the exploit was fixed as of VLC 3.0.3. Furthermore, they’re angry that security firms and tech outlets repeated these false claims without asking them first….

        Update: As a small gesture to help VideoLAN overcome the stigma of this recent security mix-up, I’ve decided to do a one-page VLC Tweak Guide this weekend. VLC has been my player of choice for watching movies on my PC for several years, but this year I made it my all-round PC media player. So I figure a guide that provides brief, clear details on how to customize VLC’s key features and appearance to suit your needs may persuade some people to give VLC another try.

        EDIT Please respect sites’ copyright, as required in our Lounge Rules

      • #1891037

        ? says:

        ‘buntu libEBML patch (7/25/2019):

        VLC patch:

        tempest subsiding…

    Viewing 9 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: VLC Media Player

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

This website collects data via Google Analytics. Click here to opt in. Click here to opt out.