Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Media Privacy

MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com) 72

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.
This discussion has been archived. No new comments can be posted.

MPlayer, VLC Media Player Hit By Critical Vulnerability

Comments Filter:
  • by dicobalt ( 1536225 ) on Sunday October 21, 2018 @09:10PM (#57515226)
    It's still 3.0.4 which I've had for a while now.
    • by ShaunC ( 203807 )

      Yep, 3.0.4 came out on August 31. I don't see anything on their website or FTP server about a newer release.

      The dev changelog [videolan.org] does refer to a version 3.0.5, but the changes listed there don't include fixing this vulnerability.

    • Re: (Score:3, Interesting)

      Ver 3.0.3 "Updates 3rd party libraries for security issues"
  • by Registered Coward v2 ( 447531 ) on Sunday October 21, 2018 @09:13PM (#57515238)
    It would be helpful if articles such as this listed what VLC versions (or other software) have addressed this flaw, rather than just say have the latest updated. From the article the assumption is if you have the Win/OS X/Linux updated to the latest version you are not vulnerable.
    • by Anonymous Coward

      It's not VLC per se that's vulnerable. It's the live555 streaming libraries that are. The version for liblivemedia that's vulnerable is 0.92 The CVE for it doesn't mention if prior versions are also vulnerable.

  • by Anonymous Coward

    Last time I tried it, the control interface couldn't be moved to another monitor. Plus, it could only use a limited number of video output modules, some of which were blocky or poor performing.

  • by Anonymous Coward

    Almost nobody that uses VLC will actually be affected by this bug

    • Almost nobody that uses VLC will actually be affected by this bug

      [citation needed]

      • by Anonymous Coward

        nework streaming (which this library is used for) and playback of local files (what the vast majority of users actually, and only, use vlc for) are not the same.

        • What makes you think that nobody streams media from the internet?

          • by AHuxley ( 892839 )
            Could downloaded media be made to call home on a few different OS?
          • by Anonymous Coward

            He doesn't think that nor did he say anything implying that he might think that.

            Most people who stream from Internet aren't using VLC for that. They're probably using web browsers, and Netflix clients (which can't ever be VLC) and on mobiles they might be using a dedicated Youtube client. And some others. Rarely VLC/mpv/mplayer/xine/parole/etc.

            Most people who use VLC (and mpv and parole and mplayer) are playing local files.

            The two groups do intersect, but not much. Streaming video is mostly a business thing

      • RTFA (Score:3, Insightful)

        by notb666 ( 1863678 )
        According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”
  • Do this right away (Score:2, Informative)

    by Tough Love ( 215404 )

    Debian users, do this right away:

          sudo apt upgrade && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64

    For buster/sid, this updates to versions 2018.10.17-1 and 2018.08.28a-1. Then check to see if these have the fix, I think they do but I have not verified yet.

    This update takes less than 1 minute to do, there is not the slightest excuse for procrastinating.

  • As of 2018-10-21 01:35 EDT three is no update for VLC Media Player they are still at 3.0.4 from a month or two back. Version 3.0.5 would be the updated version.
    • 3.0.5 is still a development branch, if you wait for that you will be waiting a long time. You need a security patch. Already landed in Debian/Sid, good luck with Windows.

  • by Ross Finlayson ( 17913 ) on Sunday October 21, 2018 @11:29PM (#57515512) Homepage

    The bug - which has now been fixed in the LIVE555 library (with the fix already reported to Cisco) - affected only the LIVE555 library's implementation of a RTSP *server*. It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)

    (I know this because I'm the author of the LIVE555 software :-)

    • Thanks for that.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Wish I'd seen this *before* I caved in to everyone's panic and updated VLC, only to instantly discover that least one feature I constantly use was now totally broken. Thankfully the old versions were still available on the website.

      THIS IS WHY I NEVER UPDATE SHIT

    • I greatly appreciate your post and rapid fix.

      Would static checkers have helped?

    • Is any of the LIVE555 software used to stream VLC video to an android device? e.g. chromecasting or miracast(?) from a media PC to android TV?

      When vlc had the bug that wouldn't allow streaming from a vlc client on a PC to a TV (using chromecast), I recall a precursor protocol that allowed DLNA devices connectivity between each other for streaming purposes..

    • It's 2018, and /. is still relevant ( 5 digit UID's represent!!! )

    • by DERoss ( 1919496 )

      That is supported by a blog post at https://threatpost.com/critica... [threatpost.com]. It would be appreciated if people would learn the difference between a server and a client.

  • by jd ( 1658 )

    Would any existing static checker free for use with open source have identified the bug?

    If yes, then there should be an obligation to use them in key software.

    If no, then we need to sort out the lack of testing common in the software industry as a whole.

  • if using the application only to watch offline videos affected?
  • This article is grossly inaccurate and blatantly wrong. https://twitter.com/videolan/s... [twitter.com] + https://twitter.com/hanno/stat... [twitter.com]
  • by Anonymous Coward

    "
    Update:

    According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”

    "

  • by caseih ( 160668 ) on Monday October 22, 2018 @08:59AM (#57516917)

    Please can the slashdot editors fix the headline and summary to reflect the actual situation as per Ross Finlayson's post [slashdot.org]. Which is to say Mplayer and VLC Media Player were not vulnerable and there's no need to panic. The article linked to in the summary is plain wrong and really needs to be retracted.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...