![]() |
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
VLC Media Player
Home › Forums › Code Red – Security/Privacy advisories › VLC Media Player
Tagged: VLC
- This topic has 15 replies, 9 voices, and was last updated 1 year, 6 months ago by
anonymous.
Viewing 9 reply threads-
AuthorPosts
-
-
July 22, 2019 at 12:44 am #1879339
Great Lake Bunyip
AskWoody LoungerA serious Vulnerability has been found in the current version of the VLC media player. It can allow an attacker to remotely view and alter data, as well as execute code, on affected systems. VideoLan is working on a fix to be incorporated into the next version of VLC, but there’s no ETA.
1 user thanked author for this post.
-
July 22, 2019 at 1:37 am #1879382
mn–
AskWoody Lounger… though this is still less of a risk than using earlier 3.x series releases of VLC, apparently.
Bother, VLC has long been one of the more reliable pieces of software but…
Also not clear if this affects all platform versions of VLC. Notably VLC for Android or iOS isn’t mentioned in either https://www.cert-bund.de/advisoryshort/CB-K19-0634 or https://nvd.nist.gov/vuln/detail/CVE-2019-13615 …
1 user thanked author for this post.
-
July 23, 2019 at 8:36 pm #1883159
Kirsty
ManagerNo, You Don’t Need to Uninstall VLC
By Chris Hoffman | July 23, 2019
“The sky is falling; uninstall VLC right now!” That’s the advice some websites are providing. But the purported VLC flaw is overblown—and, according to VLC’s developers, may not even be a real risk.
…
At the end of the day, it’s probably a good idea to stay away from downloaded MKV files until VLC patches this flaw. But that’s all you would really need to do, and even that’s being kind of paranoid.As VLC’s developers explain on the VideoLAN bug tracker:
“Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.” -Francois Cartegnie
“This does not crash a normal release of VLC 3.0.7.1” -Jean-Baptiste Kempf
Read the full article here5 users thanked author for this post.
-
July 24, 2019 at 1:36 am #1883428
mn–
AskWoody Lounger“Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf
Though if it were a real threat, crashing might well be the better option, as that’d mean that the hole would then close at that time for that instance. Many a privilege escalation and remote code execution is stopped by triggering a crash (possibly limiting the problem to a denial of service).
Now, it could well be that the bug is real but not in VLC, or it could be something that only happens with specific compiler and library versions. From the data over at https://trac.videolan.org/vlc/ticket/22474 it’s apparent that there’s a class template allocator involved, which means it could be anywhere from the C++ standard and class library to compiler version and optimizer switches, to other support libraries and since it’s multithreaded AND the relevant parts are split between two threads, even timing might be involved, so running kernel version…
Seems that the bug report had gcc/g++ 7.4 and glibc 2.27 … so yeah, Ubuntu 18.04 with updates (had gcc 7.3 originally, 7.4 is from updates).
VLC developers noted that the problem wasn’t reproducible in the win64 version… well right, certainly would have to use different architecture-specific parts in the specifically crafted malicious file even if it was a VLC-only problem. Possibly parts specific to the VLC, standard library and compiler versions, and thread timing not being ruled out as a factor just yet, might or might not also have to bring running kernel version into it.
This doesn’t mean that it’s safe, though. Means that *I* at least don’t know, and back when I was doing support for application development, these were always a huge bother to chase down… at one point we linked parts of our own application to one patch version of the standard library and other parts to another patch version, to dodge two different bugs in the compiler and libraries… fortunately that got resolved before public release though. (Was on neither Linux nor Windows… no, not Mac either)
1 user thanked author for this post.
-
-
July 24, 2019 at 4:59 am #1883805
woody
Manager-
July 24, 2019 at 6:14 am #1883969
mn–
AskWoody LoungerWell it does seem to be a potential vulnerability in Ubuntu 18.04 anyway.
And, the issue does seem to be in the MKV container processing indeed – latest information from VLC developers says it’s in Matroska’s libebml library, where it was fixed in version 1.3.6 which came out in April 2018… too late to make it into Ubuntu 18.04, at least initially.
(The sample file is named .mp4 but is in fact a MKV container containing a mp4-format video… and at least VLC handles it as MKV automatically, other players might too.)
So, hopefully Ubuntu 18.04 LTS gets a fixed libebml…
In short: As of right now, if you’re on Ubuntu 18.04 or a derivative, snap-packaged VLC 3.0.7 is safe from this as the snap carries a fixed libebml, but other media players may not be.
Official binary distribution of VLC 3.0.2 and older for Windows may be vulnerable to this, 3.0.3 and newer are safe.
-
July 24, 2019 at 2:40 pm #1885261
Kirsty
ManagerFrom @gborn, on borncity.com, summarises VLC’s response:
The problem is a third-party library libebml that was shipped with older versions of Ubuntu, such as 18.04. There the bug was also reported to the VideoLAN project – which was the wrong addressee. In VLC Player V3.0.3 and higher the correct version of the library is included and everything is fine.
The response in question from VLC:
About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.Thread:
— VideoLAN (@videolan) July 24, 2019
-
-
July 24, 2019 at 3:58 pm #1885447
-
July 25, 2019 at 6:05 am #1887721
mn–
AskWoody LoungerFrom https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13615.html :
Notes
mdeslaur> upstream ticket says this is actually an issue in libebml that
mdeslaur> was fixed in 1.3.6.
mdeslaur>
mdeslaur> marking priority as “low” since a heap-based buffer over-read
mdeslaur> will likely just result in a crash, not in code executionPackage
Source: libebml (LP Ubuntu Debian)
Upstream: released (1.3.6)
Ubuntu 12.04 ESM (Precise Pangolin): DNE
Ubuntu 14.04 ESM (Trusty Tahr): DNE
Ubuntu 16.04 LTS (Xenial Xerus): needed
Ubuntu 18.04 LTS (Bionic Beaver): needed
Ubuntu 19.04 (Disco Dingo): not-affected (1.3.6-2)
Ubuntu 19.10 (Eoan): not-affected (1.3.9-2) -
July 25, 2019 at 11:40 am #1888572
-
July 25, 2019 at 12:11 pm #1888603
jabeattyauditor
AskWoody LoungerThis would be a good opportunity for MS to bring back they’re media player once again.
The version of VLC compiled for Windows isn’t/wasn’t vulnerable.
-
July 25, 2019 at 5:35 pm #1889422
EP
AskWoody_MVPthe latest version of VLC for Windows was never vulnerable to begin with
this Neowin article was updated yesterday 7/24 to reflect on the VLC creator’s recent tweets:
https://www.neowin.net/news/german-cybersecurity-agency-identifies-critical-flaw-in-vlc-media-player
-
-
July 25, 2019 at 8:02 pm #1889513
Great Lake Bunyip
AskWoody LoungerVLC Security Vulnerability Update
25 July 2019
https://www.tweakguides.com/VideoLAN, developer of the VLC media player, has responded to the earlier disclosure of an alleged critical security vulnerability in the current version of their player: they state that VLC is not vulnerable; the exploit was fixed as of VLC 3.0.3. Furthermore, they’re angry that security firms and tech outlets repeated these false claims without asking them first….
Update: As a small gesture to help VideoLAN overcome the stigma of this recent security mix-up, I’ve decided to do a one-page VLC Tweak Guide this weekend. VLC has been my player of choice for watching movies on my PC for several years, but this year I made it my all-round PC media player. So I figure a guide that provides brief, clear details on how to customize VLC’s key features and appearance to suit your needs may persuade some people to give VLC another try.
EDIT Please respect sites’ copyright, as required in our Lounge Rules
-
July 26, 2019 at 9:19 am #1891037
anonymous
Guest? says:
‘buntu libEBML patch (7/25/2019):
https://usn.ubuntu.com/4073-1/
VLC patch:
https://usn.ubuntu.com/4074-1/
tempest subsiding…
-
-
AuthorPosts
Viewing 9 reply threads - This topic has 15 replies, 9 voices, and was last updated 1 year, 6 months ago by
-
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search The Lounge
Recent Replies
desertdad on Windows 10 Latest Patch: KB 4598242
1 hour, 8 minutes agocyberSAR on Hasta la vista, TeamViewer Free
1 hour, 29 minutes agoanonymous on Google threatens to remove search engine from Australia
1 hour, 32 minutes agoBob99 on KB4023057 while on Win10-2004
2 hours, 22 minutes agoBob99 on Seriously, MBAM?
2 hours, 41 minutes agoBob99 on Seriously, MBAM?
2 hours, 44 minutes agoBob99 on Susan recommending version 2004
2 hours, 51 minutes agoOscarCP on Google threatens to remove search engine from Australia
2 hours, 56 minutes agoSusan Bradley on This should be the best patching experience
3 hours, 17 minutes agoanonymous on This should be the best patching experience
3 hours, 18 minutes agoOscarCP on Giving you the choice
4 hours, Just nowrick41 on Giving you the choice
4 hours, 1 minute agocyberSAR on Seriously, MBAM?
4 hours, 10 minutes agoOscarCP on Giving you the choice
4 hours, 13 minutes agoSusan Bradley on Lost Post
4 hours, 19 minutes agoSusan Bradley on Giving you the choice
4 hours, 20 minutes agogsel on imovie problems in osx 10.6.8
4 hours, 22 minutes agorick41 on Giving you the choice
4 hours, 26 minutes agoanonymous on MS-DEFCON 2 – Get ready for January updates
4 hours, 39 minutes agoFrances McKenna on Time to adapt while acknowledging the past
4 hours, 41 minutes agoSusan Bradley on Giving you the choice
4 hours, 42 minutes agoCybertooth on Giving you the choice
4 hours, 54 minutes agoCADesertRat on MS Shared Experience warning
5 hours, 40 minutes agolikescats on Files don’t copy from Win7 HDD to Win10 computer
6 hours, 2 minutes agoBundaburra on Google threatens to remove search engine from Australia
6 hours, 12 minutes agoSteveTree on This should be the best patching experience
6 hours, 25 minutes agomn-- on Files don’t copy from Win7 HDD to Win10 computer
6 hours, 25 minutes agoLicAC on Windows Defender – yes or no?
6 hours, 48 minutes agoBen Myers on SSD vs. SATA Drives
7 hours, 33 minutes agoKirsty on Google threatens to remove search engine from Australia
9 hours, 22 minutes ago
Recent Topics
-
Slow file copy
45 minutes ago
-
Do we need Java?
53 minutes ago
-
Windows 10 version changes
2 hours, 7 minutes ago
-
Lost Post
4 hours, 19 minutes ago
-
Hasta la vista, TeamViewer Free
1 hour, 29 minutes ago
-
Files don’t copy from Win7 HDD to Win10 computer
6 hours, 2 minutes ago
-
Does the HP Spectre Notebook (2016 model) have a removable wireless LAN Card?
19 hours, 30 minutes ago
-
Windows 10 2004 and Intel Ethernet Problem Solving
7 hours, 35 minutes ago
-
KB4023057 while on Win10-2004
2 hours, 22 minutes ago
-
MS Shared Experience warning
5 hours, 40 minutes ago
-
Google threatens to remove search engine from Australia
1 hour, 32 minutes ago
-
macOS Catalina running on iPad Pro 2020
9 hours, 34 minutes ago
-
How to check if someone else accessed your Google account
20 hours, 56 minutes ago
-
This should be the best patching experience
3 hours, 17 minutes ago
-
Windows 10 Insider build 19042.782 (20H2) released to Beta & Release Preview
1 day, 2 hours ago
-
Browser Settings Block Linux Mint Downloads
1 day, 2 hours ago
-
Windows 10 Insider Preview build 20296 released to DEV Channel
1 day, 9 hours ago
-
Google Analytics Notice
1 day, 10 hours ago
-
Beeper combines 15 chatting apps
1 day, 5 hours ago
-
File Explorer cannot see external 2Tb drive in full
1 day, 13 hours ago
-
Office 2010 updates.
13 hours, 13 minutes ago
-
What is ‘Meet Now’
1 day, 13 hours ago
-
Linux is now completely usable on the Mac mini M1
2 days, 9 hours ago
-
User Feed Synchronization – Disable/Delete Task?
1 day, 10 hours ago
-
AV Alert from JetAudio Plus
2 days, 11 hours ago
-
System Restore Stopped Working
1 day, 9 hours ago
-
Malwarebytes was targeted by SolarWinds hackers too
2 days, 21 hours ago
-
So I opened up an HP and where’s the hard drive?
21 hours, 36 minutes ago
-
Which version of MS Office should we buy and where can we get it?
2 days ago
-
Fiber optic not available; options please
2 days, 5 hours ago
Search for Topics
Recent blog posts
Key Links
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.