Forgot your password?
typodupeerror
Bug

VLC And Secunia Fighting Over Vulnerability Reports 100

Posted by Unknown Lamer
from the fight-fight-fight dept.
benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.
This discussion has been archived. No new comments can be posted.

VLC And Secunia Fighting Over Vulnerability Reports

Comments Filter:
  • despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

    That depends entirely on what "exploit" means. If VLC is a core part of a media service, calling anything named "terminate" sounds like a recipe for a simple DoS. I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display), but it could easily be the magic under a layer of consultants' bills.

    The easy assumption is that any time a program does something that wouldn't be expected, it's exploitable to cause some kind of annoyance. Whether that alone is en

    • How is making VLC close a DoS? Just re-open it and don't play the rigged file again.
      • by Sarten-X (1102295)

        Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.

        More examples I can think of offhand:

        • Theatre sound effects
        • Streaming media servers
        • Internet radio
        • Public information displays
        • Conference and sales presentations

        I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          Disrupt that playback, and you have denial of service, period.

          Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.

        • by gl4ss (559668)

          Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.

          More examples I can think of offhand:

          • Theatre sound effects
          • Streaming media servers
          • Internet radio
          • Public information displays
          • Conference and sales presentations

          I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.

          if you can insert data into the datastream that is streaming into the video decoder .. umm.. then who the fuck cares you can "dos" it by making the decoder crash? you could dos it multiple ways then, like changing the stream to 10000000x10000000 pixel stream of white or whatever.

          if you could run code through it then it would be pretty serious, obviously, but a videostream that crashes it is literally last decades stuff.

          • by F.Ultra (1673484)
            Becasue if you can make it crash then something else might happen, for example the admin might reach out to it via some remote access method or go there physically which might help you in whatever you are doing.
        • by sjames (1099)

          On the other hand, you handed it a bogus video to play. The best it can do is pop up an error message and/or skip it. There is already some degree of disruption inherent in the situation.

      • by gandhi_2 (1108023)

        Yes, but for MISSION CRITICAL .mkv playback, VLC just isn't an option.

        Like, say... porn.

    • by Anonymous Coward on Wednesday July 10, 2013 @12:06PM (#44239671)

      Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.

      VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.

      • Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner.

        Is VLC actually exiting? It should put up a "this media file is corrupt" message with perhaps a backtrace under a disclosure pane. But that's a usability issue, not a security one.

        VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank!

        Adjust the squelch on your sarcasm meter. He means that big expensive projects tend to pay exorbitant licensing fees t

    • by sjames (1099)

      Usually exploit and DOS are two separate categories. DOS is limited in it's impact (though it can be a serious problems in some cases) compared to exploit, the ability to use the program to gain privileges and/or run malicious code.

    • If an attacker can inject their own video stream, they can do far worse things than DoS.

  • by wbr1 (2538558) on Wednesday July 10, 2013 @11:52AM (#44239417)
    when I need to call std::terminate.
  • Put up or shut up (Score:2, Interesting)

    by Anonymous Coward

    "Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system."
    "The vulnerability is caused due to a use-after-free error when releasing a picture object during decoding of video files. This can be exploited to reference an object's callback function pointer from already freed memory. Successful exploitation may allow execution of arbitrary code."

    Well if it can be exploited to execute arbitrary code, why not explo


  • I have read this quite concerned but am now finally relieved that my porn viewing will not be affected in the slightest.

    Thank you for reporting on "stuff the matters".
  • Please wait ... (Score:2, Informative)

    by Anonymous Coward

    I tried accessing the VLC website, but all I got was an error message:

    Please wait while your font cache is rebuilt. This should take less than a few minutes.

    • I've used VLC for almost a decade and i've never seen this message. How do you trigger it? According to online sources, it's run after an update, but I've never seen it, and update every single release. Running vlc 2.0.7 right now.

  • Threatens 'legal action'? What's up with that?

    • Re: (Score:1, Troll)

      by GlowingCat (2459788)
      Oh the irony, somebody who doesn't give a crap about patents threatens with legal actions.
      • protip: patent infringement != libel/slander ;)

        • Re:Mein Kempf (Score:4, Interesting)

          by Ash Vince (602485) * on Wednesday July 10, 2013 @01:26PM (#44240997) Journal

          protip: patent infringement != libel/slander ;)

          It is still running to a bunch of lawyers though to settle what should be a technical issue.

          He is worried about the damage to his wonderful players reputation be secunia filing a few bug reports? It works both ways, if they have filed bug based on security issues that do not exist that damages their reputation. Surely it makes more sense to have a discussion between two techies regarding the expected behaviour of the application. I don't see what a bunch of lawyers can contribute to that.

          Oh, apart from burning them to keep the techies warm :)

          • I don't see what a bunch of lawyers can contribute to that.

            Bringing legal action got the issue on Slashdot, so it turned out to be an effective way to raise awareness that Secunia's position is bogus.

  • They have always been correct.
  • by benjymouse (756774) on Wednesday July 10, 2013 @01:08PM (#44240731)

    (original submitter here)

    If Secunia is correct that the root cause is a use-after-free vulnerability, it exploitability is likely not limited to simple DOS. Secunia talk about a callback handler. A use after free vulnerability can easily lead to execution of arbitrary code, depending on how much control the artacker can assert over the memory.

    Also, it is interesting if the sentiment is that it is not a vulnerability if it sits in a linked library. Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

      Why? We don't report vulnerabilities in the GNU C library (glibc) as being vulnerabilities of every program that has links to it. Even Secunia reports vulnerabilities in glibc as vulnerabilities of the library, not the individual programs using it. [cite: https://secunia.com/advisories/search/ [secunia.com]]

      You can argue that it ought to be the other way, but at the very least Secunia should be consistent with their own practice. Flagging VLC because of a vulnerability in ffmpeg is not consistent with Secunia's own p

    • by Chirs (87576) on Wednesday July 10, 2013 @02:33PM (#44241963)

      If I update the library it resolves the problem for all users of the library. Therefore, the problem is in the shared library, not in the users of that library.

      It may be possible to trigger the bug in users of the library, but the actual error (and the thing that must be fixed) is in the library, not the program using it.

    • by TJamieson (218336)

      My understanding is the libmkv terminate was the DoS portion. The SWF use-after-free would indeed be vulnerable, but is also within ffmpeg. While it would be nice - and in their best interests - if VLC fixed it upstream, it should have been reported as an ffmpeg issue imo.

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...