Security company reports vulnerability in VLC, but it's already patched

VLC does not load an old copy of the library. The bug was fixed long ago. There is no current bug.

I was going to say, “No, not you too VLC!” as it is the one program that seems to work very well.

But it looks like it fixed this issue - so Yay!


Discovered by German security agency CERT-Bund

“security” my ass! CERT-Bund and BSI are notoriuos for spreading hyped-up “cyber”-BS-“warnings” without even comunicating beforehand with the affected company, these “official” german agencies have usualy no fucking idea what they talking about; and as other mentioned before, this “vulnerability” was already fixed 18 months ago, so please, @SeamusBellamy, would be really nice to update your post.


Ya, riding the bus into work today I was inundated with “VLC will burn your house down!” stories from the internet. I guess fake news is ok if it’s about something inconsequential?

Yup. This is the same type of vulnerability that felled Nintendo’s 3DS protection and the same type leveraged in Stagefright, an attack that hit embedded libraries in Android 2.2 through 4.4.4

@beschizza has updated the post accordingly.


The problem is in a third party library, which has already been fixed, so the real problem is that the newer version of the library hasn’t been included in the Ubuntu repositories yet.
There is literally nothing the VLC team can do about this (it’s notoriously difficult to persuade repo maintainers to update package versions, even if it’s your software).

If you’re running VLC on Windows or OSX then as long as your copy of VLC is up to date, then you’ll have the latest version of the library. This is only a problem on (a particular flavour of) Linux, where the user is expected to be somewhat savvy and to be able to install newer versions of third party libraries.
There’s downsides to software being packaged as pre-compiled binaries with static libraries, but in this case it’s an upside.

1 Like

The day I convinced my office manager we needed VLC and to get our agency IT to bloody well approve its use already was a damned good day. Because of the nature of our work, we have to look at a whole bunch of different video file types. VLC made it SO much easier. I was worried we would lose our access :frowning:
Good to know it was all stupid hype.


Thanks for taking the time to explain thoughtfully – I can see I had the correct read on this situation. Obviously, the original security researcher vastly overinflated the severity and scope of the bug. That said, it’s still a bug.

Again, as a sysadmin and user advocate, I don’t particularly like this approach. Why not make a specific version of the library a requirement for launching VLC? Anyone I’ve suggested this to has been insulting or dismissive, with one Twitter user telling me to write the patch myself and submit it to the repository (the subtext: if you can’t code, then butt-out).

Anyway, thanks again for your thoughtful and polite reply, and for taking the effort to explain.

This topic was automatically closed after 5 days. New replies are no longer allowed.