MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com) 72
A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.
VLC hasn't been updated... (Score:3)
Re: (Score:2)
Yep, 3.0.4 came out on August 31. I don't see anything on their website or FTP server about a newer release.
The dev changelog [videolan.org] does refer to a version 3.0.5, but the changes listed there don't include fixing this vulnerability.
Re: (Score:3, Interesting)
What is the updated version? (Score:5, Insightful)
Re: (Score:1)
It's not VLC per se that's vulnerable. It's the live555 streaming libraries that are. The version for liblivemedia that's vulnerable is 0.92 The CVE for it doesn't mention if prior versions are also vulnerable.
But VLC 3.0 sucks. (Score:1)
Last time I tried it, the control interface couldn't be moved to another monitor. Plus, it could only use a limited number of video output modules, some of which were blocky or poor performing.
Tiny minority affected (Score:1)
Almost nobody that uses VLC will actually be affected by this bug
Re: (Score:2)
Almost nobody that uses VLC will actually be affected by this bug
[citation needed]
Re: (Score:1)
nework streaming (which this library is used for) and playback of local files (what the vast majority of users actually, and only, use vlc for) are not the same.
Re: (Score:2)
What makes you think that nobody streams media from the internet?
Re: (Score:2)
Re: (Score:2)
I hope that you will soon also understand that you are also a hazard to security. It should be obvious that many applications depend on vlc and therefore live555, and that many users use these to access media remotely. The coward had a chance to think critically, possibly redeeming themselves for an obviously stupid comment, why should I be surprised that that was a complete fail. And why should I be surprised that some other coward hopes to defend their imagined duty to be clueless on the internet.
Re: (Score:2)
So who's clueless on the internet?
The one who thought nobody was vulnerable ("a tiny minority") without being able to factually support that belief, until an upstream developer weighed in, and who still is wrong to belief that it is ok for even a minority to risk their security needlessly, and advocate for others to follow that path. That would be you, apparently.
Re: (Score:1)
People are welcome to risk their own systems in whatever way they wish, but posting random advice to the internet advocating that others do the same is not ok. BTW, your comment doesn't make any sense at all, do you always talk like that?
Re: (Score:1)
He doesn't think that nor did he say anything implying that he might think that.
Most people who stream from Internet aren't using VLC for that. They're probably using web browsers, and Netflix clients (which can't ever be VLC) and on mobiles they might be using a dedicated Youtube client. And some others. Rarely VLC/mpv/mplayer/xine/parole/etc.
Most people who use VLC (and mpv and parole and mplayer) are playing local files.
The two groups do intersect, but not much. Streaming video is mostly a business thing
RTFA (Score:3, Insightful)
Do this right away (Score:2, Informative)
Debian users, do this right away:
sudo apt upgrade && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64
For buster/sid, this updates to versions 2018.10.17-1 and 2018.08.28a-1. Then check to see if these have the fix, I think they do but I have not verified yet.
This update takes less than 1 minute to do, there is not the slightest excuse for procrastinating.
Re: (Score:2)
Debian status of this vulnerability [debian.org]
Looks like fixed in Sid (I'm ok!) but testing and stable are still vulnerable as of right now.
Re:Do this right away (Score:4, Informative)
Gah, typoed that. Should be:
sudo apt update && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64
Not sure which of those two libraries has the hole, maybe both.
Re: Do this right away (Score:5, Funny)
Thanks for fixing, because I usually just cut & paste any sudo command.
Re: (Score:2)
Good work for spotting and pointing out the original problem, much more useful than posting a random snipe to the internet
Re:Bad Debian advice (Score:1)
Never 'apt upgrade' or perform any other apt operation without first running 'apt update' to make sure that you are working with the latest package sets.
People who complain about practically nonexistent problems such as "dependency hell" are always painting themselves into this corner...
No Update Yet (Score:1)
Re: (Score:2)
Anything more than a few bytes is enough to own you.
Re: (Score:2)
3.0.5 is still a development branch, if you wait for that you will be waiting a long time. You need a security patch. Already landed in Debian/Sid, good luck with Windows.
No, it doesn't affect *any* media player (Score:5, Informative)
The bug - which has now been fixed in the LIVE555 library (with the fix already reported to Cisco) - affected only the LIVE555 library's implementation of a RTSP *server*. It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)
(I know this because I'm the author of the LIVE555 software :-)
Re: (Score:2)
Thanks for that.
Re: (Score:1)
Eh, you lost the plot. It is a real vulnerability and people are really exposed to it. It was clarified that vlc servers are vulnerable to malicious clients, not the other way round. That means a much smaller group is exposed, but In a way, it makes it worse.
Re: (Score:2, Insightful)
Wish I'd seen this *before* I caved in to everyone's panic and updated VLC, only to instantly discover that least one feature I constantly use was now totally broken. Thankfully the old versions were still available on the website.
THIS IS WHY I NEVER UPDATE SHIT
Re: No, it doesn't affect *any* media player (Score:2)
I greatly appreciate your post and rapid fix.
Would static checkers have helped?
Re: (Score:2)
Is any of the LIVE555 software used to stream VLC video to an android device? e.g. chromecasting or miracast(?) from a media PC to android TV?
When vlc had the bug that wouldn't allow streaming from a vlc client on a PC to a TV (using chromecast), I recall a precursor protocol that allowed DLNA devices connectivity between each other for streaming purposes..
Re: (Score:2)
It's 2018, and /. is still relevant ( 5 digit UID's represent!!! )
Re: (Score:2)
That is supported by a blog post at https://threatpost.com/critica... [threatpost.com]. It would be appreciated if people would learn the difference between a server and a client.
Question (Score:2)
Would any existing static checker free for use with open source have identified the bug?
If yes, then there should be an obligation to use them in key software.
If no, then we need to sort out the lack of testing common in the software industry as a whole.
watch video offline (Score:1)
No they aren't (Score:2)
Appears to be a false alarm: (Score:1)
"
Update:
According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”
"
Slashdot editors fix the headline and summary (Score:5, Informative)
Please can the slashdot editors fix the headline and summary to reflect the actual situation as per Ross Finlayson's post [slashdot.org]. Which is to say Mplayer and VLC Media Player were not vulnerable and there's no need to panic. The article linked to in the summary is plain wrong and really needs to be retracted.