Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Bug

VLC And Secunia Fighting Over Vulnerability Reports 100

Posted by Unknown Lamer from the fight-fight-fight dept.
benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.
This discussion has been archived. No new comments can be posted.

VLC And Secunia Fighting Over Vulnerability Reports More

VLC And Secunia Fighting Over Vulnerability Reports

Comments Filter:

  • Please wait ... (Score:2, Informative)

    by Anonymous Coward on Wednesday July 10, 2013 @12:02PM (#44239597)

    I tried accessing the VLC website, but all I got was an error message:

    Please wait while your font cache is rebuilt. This should take less than a few minutes.

  • Re:Put up or shut up (Score:5, Informative)

    by Lunix Nutcase ( 1092239 ) on Wednesday July 10, 2013 @12:23PM (#44239945)

    How is that phrase gibberish? It's quite clear what it means if you've ever used C++ and function pointers to implement callbacks for an object.

  • Use after free is *not* just a DOS vulnerbability (Score:4, Informative)

    by benjymouse ( 756774 ) on Wednesday July 10, 2013 @01:08PM (#44240731)

    (original submitter here)

    If Secunia is correct that the root cause is a use-after-free vulnerability, it exploitability is likely not limited to simple DOS. Secunia talk about a callback handler. A use after free vulnerability can easily lead to execution of arbitrary code, depending on how much control the artacker can assert over the memory.

    Also, it is interesting if the sentiment is that it is not a vulnerability if it sits in a linked library. Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

  • Re:Use after free is *not* just a DOS vulnerbabili (Score:2, Informative)

    by Anonymous Coward on Wednesday July 10, 2013 @02:11PM (#44241661)

    Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

    Why? We don't report vulnerabilities in the GNU C library (glibc) as being vulnerabilities of every program that has links to it. Even Secunia reports vulnerabilities in glibc as vulnerabilities of the library, not the individual programs using it. [cite: https://secunia.com/advisories/search/ [secunia.com]]

    You can argue that it ought to be the other way, but at the very least Secunia should be consistent with their own practice. Flagging VLC because of a vulnerability in ffmpeg is not consistent with Secunia's own past practice.

  • Re:Yet another biased Slashdot story (Score:5, Informative)

    by Sarten-X ( 1102295 ) on Wednesday July 10, 2013 @02:29PM (#44241899) Homepage

    You jest, but that's a decent example. It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.

    One of my personal favorite exploits involved using a core dump to drop a file into cron.d. The kernel, being ever so helpful, would put the dump into whatever working directory the crashing program was running in. Cron, being ever so helpful, would run all the files in cron.d, and being ever so helpful, would ignore all the badly-malformed data in those files. Put them together, and suddenly any user who can run a program can schedule commands to be run as root.

    As your example shows with ample hyperbole, even a clean termination may be part of a larger plan. Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether... what matters is that all such attack vectors can be blocked by fixing this unexpected behavior.

  • consider shared libraries (Score:4, Informative)

    by Chirs ( 87576 ) on Wednesday July 10, 2013 @02:33PM (#44241963)

    If I update the library it resolves the problem for all users of the library. Therefore, the problem is in the shared library, not in the users of that library.

    It may be possible to trigger the bug in users of the library, but the actual error (and the thing that must be fixed) is in the library, not the program using it.

  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Wednesday July 10, 2013 @05:21PM (#44243909)
    Comment removed based on user account deletion

Slashdot Top Deals

Anyone can make an omelet with eggs. The trick is to make one with none.

Close