VLC Media Player

[Great Lake Bunyip]

A serious Vulnerability has been found in the current version of the VLC media player. It can allow an attacker to remotely view and alter data, as well as execute code, on affected systems. VideoLan is working on a fix to be incorporated into the next version of VLC, but there’s no ETA.

https://www.tweakguides.com/

1 user thanked author for this post.

jburk07

[mn–]

… though this is still less of a risk than using earlier 3.x series releases of VLC, apparently.

Bother, VLC has long been one of the more reliable pieces of software but…

Also not clear if this affects all platform versions of VLC. Notably VLC for Android or iOS isn’t mentioned in either https://www.cert-bund.de/advisoryshort/CB-K19-0634 or https://nvd.nist.gov/vuln/detail/CVE-2019-13615 …

1 user thanked author for this post.

jburk07

[Kirsty]

No, You Don’t Need to Uninstall VLC
By Chris Hoffman | July 23, 2019

 
“The sky is falling; uninstall VLC right now!” That’s the advice some websites are providing. But the purported VLC flaw is overblown—and, according to VLC’s developers, may not even be a real risk.
…
At the end of the day, it’s probably a good idea to stay away from downloaded MKV files until VLC patches this flaw. But that’s all you would really need to do, and even that’s being kind of paranoid.

As VLC’s developers explain on the VideoLAN bug tracker:
“Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf

“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.” -Francois Cartegnie

“This does not crash a normal release of VLC 3.0.7.1” -Jean-Baptiste Kempf

 
Read the full article here

5 users thanked author for this post.

Elly, rexr, woody, Great Lake Bunyip, jburk07

[mn–]

Kirsty wrote:

“Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf

Though if it were a real threat, crashing might well be the better option, as that’d mean that the hole would then close at that time for that instance. Many a privilege escalation and remote code execution is stopped by triggering a crash (possibly limiting the problem to a denial of service).

Now, it could well be that the bug is real but not in VLC, or it could be something that only happens with specific compiler and library versions. From the data over at https://trac.videolan.org/vlc/ticket/22474 it’s apparent that there’s a class template allocator involved, which means it could be anywhere from the C++ standard and class library to compiler version and optimizer switches, to other support libraries and since it’s multithreaded AND the relevant parts are split between two threads, even timing might be involved, so running kernel version…

Seems that the bug report had gcc/g++ 7.4 and glibc 2.27 … so yeah, Ubuntu 18.04 with updates (had gcc 7.3 originally, 7.4 is from updates).

VLC developers noted that the problem wasn’t reproducible in the win64 version… well right, certainly would have to use different architecture-specific parts in the specifically crafted malicious file even if it was a VLC-only problem. Possibly parts specific to the VLC, standard library and compiler versions, and thread timing not being ruled out as a factor just yet, might or might not also have to bring running kernel version into it.

This doesn’t mean that it’s safe, though. Means that *I* at least don’t know, and back when I was doing support for application development, these were always a huge bother to chase down… at one point we linked parts of our own application to one patch version of the standard library and other parts to another patch version, to dodge two different bugs in the compiler and libraries… fortunately that got resolved before public release though. (Was on neither Linux nor Windows… no, not Mac either)

1 user thanked author for this post.

woody

[woody]

Another summary, from Martin Brinkmann.

Looks like it’s a tempest in a teapot…..

[mn–]

Well it does seem to be a potential vulnerability in Ubuntu 18.04 anyway.

And, the issue does seem to be in the MKV container processing indeed – latest information from VLC developers says it’s in Matroska’s libebml library, where it was fixed in version 1.3.6 which came out in April 2018… too late to make it into Ubuntu 18.04, at least initially.

(The sample file is named .mp4 but is in fact a MKV container containing a mp4-format video… and at least VLC handles it as MKV automatically, other players might too.)

So, hopefully Ubuntu 18.04 LTS gets a fixed libebml…

In short: As of right now, if you’re on Ubuntu 18.04 or a derivative, snap-packaged VLC 3.0.7 is safe from this as the snap carries a fixed libebml, but other media players may not be.

Official binary distribution of VLC 3.0.2 and older for Windows may be vulnerable to this, 3.0.3 and newer are safe.

• This reply was modified 10 months, 1 week ago by mn--.
• This reply was modified 10 months, 1 week ago by mn--.
• This reply was modified 10 months, 1 week ago by mn--. Reason: Clarified... grammar

[Kirsty]

From @gborn, on borncity.com, summarises VLC’s response:

The problem is a third-party library libebml that was shipped with older versions of Ubuntu, such as 18.04. There the bug was also reported to the VideoLAN project – which was the wrong addressee. In VLC Player V3.0.3 and higher the correct version of the library is included and everything is fine.

The response in question from VLC:

About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.

Thread:

— VideoLAN (@videolan) July 24, 2019

2 users thanked author for this post.

Elly, jburk07

[Ascaris]

18.04 is the current LTS version of Ubuntu, and is the version upon which the ever-popular and current Mint 19.x is based (as well as other Ubuntu derivatives, like the one I use, KDE Neon).  I wouldn’t really characterize it as “older.”

 

Group "L" (KDE Neon User Edition 5.18.5).

[anonymous]

If the libebml library in question needs updating for older Ubuntu based versions perhaps Canonical will do it for the sake of closing a hole. The known fixed library version mentioned in the VideoLAN Twitter account is present in code named The Disco Dingo Ubuntu distribution.

[mn–]

Yes, this is exactly the kind of thing I’d expect security fixes for in a LTS version … hm, as of now seems that Ubuntu doesn’t have an official bug report of this yet…? Did I have an account in there again… [goes digging in password repository]

[mn–]

From https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13615.html :

Notes
mdeslaur> upstream ticket says this is actually an issue in libebml that
mdeslaur> was fixed in 1.3.6.
mdeslaur>
mdeslaur> marking priority as “low” since a heap-based buffer over-read
mdeslaur> will likely just result in a crash, not in code execution

Package
Source: libebml (LP Ubuntu Debian)
Upstream: released (1.3.6)
Ubuntu 12.04 ESM (Precise Pangolin): DNE
Ubuntu 14.04 ESM (Trusty Tahr): DNE
Ubuntu 16.04 LTS (Xenial Xerus): needed
Ubuntu 18.04 LTS (Bionic Beaver): needed
Ubuntu 19.04 (Disco Dingo): not-affected (1.3.6-2)
Ubuntu 19.10 (Eoan): not-affected (1.3.9-2)

[Geo]

This would be a good opportunity for MS to bring back they’re  media player once again.

[jabeattyauditor]

Geo wrote:

This would be a good opportunity for MS to bring back they’re  media player once again.

The version of VLC compiled for Windows isn’t/wasn’t vulnerable.

[EP]

the latest version of VLC for Windows was never vulnerable to begin with

this Neowin article was updated yesterday 7/24 to reflect on the VLC creator’s recent tweets:
https://www.neowin.net/news/german-cybersecurity-agency-identifies-critical-flaw-in-vlc-media-player

[Great Lake Bunyip]

VLC Security Vulnerability Update
25 July 2019
https://www.tweakguides.com/

VideoLAN, developer of the VLC media player, has responded to the earlier disclosure of an alleged critical security vulnerability in the current version of their player: they state that VLC is not vulnerable; the exploit was fixed as of VLC 3.0.3. Furthermore, they’re angry that security firms and tech outlets repeated these false claims without asking them first….

Update: As a small gesture to help VideoLAN overcome the stigma of this recent security mix-up, I’ve decided to do a one-page VLC Tweak Guide this weekend. VLC has been my player of choice for watching movies on my PC for several years, but this year I made it my all-round PC media player. So I figure a guide that provides brief, clear details on how to customize VLC’s key features and appearance to suit your needs may persuade some people to give VLC another try.

https://www.tweakguides.com/

EDIT Please respect sites’ copyright, as required in our Lounge Rules

[anonymous]

? says:

‘buntu libEBML patch (7/25/2019):

https://usn.ubuntu.com/4073-1/

VLC patch:

https://usn.ubuntu.com/4074-1/

tempest subsiding…

[Author]

Posts