VLC And Secunia Fighting Over Vulnerability Reports

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

Not invented here

[Anonymous Coward]

C'mon Secunia, security isn't about bickering. You don't just throw proof-of-concept at someone and say "FIX IT FIX IT FIX IT" without buying them dinner first.

Put up or shut up

[Anonymous Coward]

"Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system."
"The vulnerability is caused due to a use-after-free error when releasing a picture object during decoding of video files. This can be exploited to reference an object's callback function pointer from already freed memory. Successful exploitation may allow execution of arbitrary code."

Well if it can be exploited to execute arbitrary code, why not exploit it to execute arbitrary code? Or shut up and stop talking garbage ("to reference an object's callback function pointer" What?? Is that supposed to sound technical while being gibberish?).

Put up or shut up and the argument becomes more regular and concrete like most exploits.
i.e. proof of concept, the thing that seems to be missing from Secunia's claim.

Re:... citation?

[dgatwood]

No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:

• If the exception itself causes some secret information to be leaked to a log file somewhere. This does not apply because the content being played is owned by the computer's owner, who also owns the log files.
• If the exception causes some component to get freed and you end up with a use-after-free situation (or it causes some process to die and some other process fails to handle that death in a safe manner). Presumably VLC is designed to handle codecs going away, but if not, then that is the exploitable vulnerability, not the exception itself.

Re:Mein Kempf

[Ash Vince]

protip: patent infringement != libel/slander ;)

It is still running to a bunch of lawyers though to settle what should be a technical issue.

He is worried about the damage to his wonderful players reputation be secunia filing a few bug reports? It works both ways, if they have filed bug based on security issues that do not exist that damages their reputation. Surely it makes more sense to have a discussion between two techies regarding the expected behaviour of the application. I don't see what a bunch of lawyers can contribute to that.

Oh, apart from burning them to keep the techies warm :)