Security company reports vulnerability in VLC, but it's already patched

Originally published at: https://boingboing.net/2019/07/24/using-vlc-your-computers-vu.html

…

Maybe I’m spoiled, but I’m used to articles reporting bugs doing more than clutching pearls and snarking about porn consumption, so I clicked thru and clicked thru again to get to the VLC forums where I found a number of reassuring statements about how this bug functions, with the post at the bottom of the page reading " Issue is too old libebml in Ubuntu 18.04: libebml 1.3.6 fixes this issue. End of story: VLC is not vulnerable, whether this is 3.0.7.1 or even 3.0.4. The issue is in a 3rd party library, and it was fixed in VLC binaries version 3.0.3, out more than one year ago…"

From what I gleaned in a quick read, you need a malformed video file and for it to be set to loop once, and then for a memory leak to cause a problem.

Oh, and hahahah people watch porn!

This is not the full story.

See here:

Tl;dr: this was a bug in a 3rd party library, fixed 18 months ago. The powers that be are not communicating with the VLC team.

WTF lol, from the Gizmodo article this post mentions:

[Update 8:35 AM] Based on a tweet by VideoLAN, VLC may not be as vulnerable as it initially appeared. VideoLAN says the “security issue” in VLC was caused by a third-party library called Libebml that was fixed 16 months ago, and that Mitre’s claim was based on a previous (and outdated) version of VLC.

Ok Gizmodo…

Current Raspbian Buster VLC version 3.0.7. No worries.

Just a quick question about the security hole that, apparently, no longer exists. Was it:

1. Having VLC installed opened a hole in your computer than anyone can execute commands through.
2. Viewing videos through VLC allowed attacks embedded in the videos you’re viewing

Those two are radically different things. If it’s the first I’m a little worried even if they’ve fixed it since I feel like that just shouldn’t be happening. If it’s the second then I can continue to use VLC to watch DVDs we take out of the library without concern.

Thanks for the new euphemism/innuendo…

Bellamy needs to update his story and in the future he should do a little more fact checking.

Thanks so much for noticing that, I’m absolutely going to start using “steam it”.

Looks like your answer is #2. Here’s VLC’s tweet with some language cleanup:

Any non-exploitable read overflow gets a Common Vulnerability Scoring System rating of 9.8, as if VLC is a server and one could do remote code execution and compromise the machine. While most of the time, the issue is a crash, often not exploitable, from a local file that the user HAS to open manually.

BTW when is Boing Boing going to stop spreading fake news? How bout doing a story on how agencies and reporters in the IT security space unfairly screw over small nonprofits?

So, all y’all that said viewing porn offline with VLC instead of letting Google watch you steam it was a good idea?

It’d be totally pedantic to point out the typo here, but in this case, I think it improves the sentence.

There might be confusion with Steam porn.

If you read the security report, you’ll see this was just a buffer over-read bug. An automated testing tools detected that the with a specific malformed file, the software would read past the end of a buffer. This hardly has the ability to make your computer “vulnerable to hackers.”

If you look at the CVSS scores, it is obvious most of the claims are incorrect. Who ever entered the report basically went with “buffer overrun = hackers can do anything to your computer”.

from a local file that the user HAS to open manually.

Like one they might have downloaded from a bad Bittorrent? Can’t imagine a VLC user doing that…

Sorry, I can’t say I like the way VLC is handling this. I can partly understand their frustration, but this approach leaves users out in the cold. A lot of the time you install software like this and it says, “Oh BTW, you need this open-source library as well”. Sure, you say – and then forget all about it. Whether the vulnerability exists in the library is less relevant than the fact that user interaction with VLC is the attack vector.

Companies have played hot potato on bugs in the past to user detriment – with two parties both making reasonable arguments that the bug in question wasn’t theirs to fix. The better approach is for both entities to patch a workaround and/or fix and hope that most users will notice and install at least one.

It looks like someone finally fixed up the CVSS scores. Also, VideoLAN has closed the ticket since the issue was fixed a long time ago. Ergo, there’s nothing wrong with the current version of VLC.

Seeing a lot of confusing chatter on this online. Can you maybe clue me in on why VLC would load an old copy of the library in question from the system if it comes with a current version of the library as part of the software?

from a local file that the user HAS to open manually.

Like one they might have downloaded from a bad Bittorrent? Can’t imagine a VLC user doing that…

The CVSS system exists specifically to differentiate the nature of the exploit, including the attack vectors and impact. In this case, the originally submitted CVSS indicated the vulnerability could be exploited remotely over the internet, required no user action, and that the hacker could gain total control of the target system. None of that is true - this bug can only be exploited locally and requires the user to perform a specific action (play a file that is corrupted in a specific way). And there’s no evidence the exploit can do anything other than crash VLC.

Gizmodo are deleting comments calling out the (lack of) issue. Classy

It doesn’t work that way. On operating systems where you download libraries manually, typically all required libraries are bundled with VLC, so when you update VLC all libraries are updated too. On operating systems with builtin package manager (like Debian, Ubuntu, etc.) libraries update automatically, and package maintainer can just set up a dependency (in this case for libebml >= 1.3.6) that won’t let you use outdated library. For systems where you compile software locally a version dependency can also be set up to avoid using outdated library.

I’m… literally… using VLC right now to listen to music playlists because I was tired of iTunes. Nice to see this is a non-issue and I can carry on.