vlc: serious security issue

[PMc]

Today all over the newspapers is a report that some really serious security flaw was found in vlc, and one should stop using it for now.

I tried to investigate, but didn't get much of a clue what the problem actually is. From what I could figure from the reports, there seems to be a buffer overflow, so that a specially crafted video clip could run arbitrary code on the machine. Or at least thats what I understood.

Anybody having more substantial info?

 

[SirDice]

Took me two minutes to check their website: https://www.videolan.org/security/sa1901.html

 

[PMc]

Took me two minutes to check their website: https://www.videolan.org/security/sa1901.html

Yeah, but that's the wrong one!

That one states it is solved in 3.0.7. The current media reports say 3.0.7.1 is the compromised version, and there is no fix:

VLC player has 'critical' security flaw

Researchers warn on significant vulnerability in popular media player

www.techradar.com

NVD - CVE-2019-13615

nvd.nist.gov

 

[SirDice]

The previous SA actually sounds more like what you described. For some reason that new bug description doesn't appear to be all that dangerous.

But I wouldn't be surprised if it was mentioned in mainstream media and they managed to get their facts mixed up.

 

[SirDice]

Interesting remark on the Videolan ticket: https://trac.videolan.org/vlc/ticket/22474

If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.

 

[PMc]

The previous SA actually sounds more like what you described. For some reason that new bug description doesn't appear to be all that dangerous.

But I wouldn't be surprised if it was mentioned in mainstream media and they managed to get their facts mixed up.

That's why I posted the thread. The whole thing is somehow strange, might be a regression, or whatever, and doesn't get fully clear.

Interesting remark on the Videolan ticket: https://trac.videolan.org/vlc/ticket/22474

Okay, now it gets grotesque. The "fake news source" appears to be the "CERT-Bund", and the actual fake news on techradar.com is to call that a "firm" - because in fact it's the German government (who seems to be the fake news distributor):

Kurzinfo CB-K19/0634

And from there it apparently found its way to the media.


Meanwhile, the press reports continue to pop up:

You Might Want to Uninstall VLC. Immediately. [Updated: Maybe Not]

Because of its free and open-source nature, VLC is one of, if not the most popular cross-platform media player in the world. Unfortunately, a newfound and

gizmodo.com

 

[SirDice]

For the previous slew of bugs it would indeed be proper to suggest to uninstall it, some are really nasty. But those have all been patched as far as I know. This new thing can't even be confirmed by the VLC developers.

 

[PMc]

For the previous slew of bugs it would indeed be proper to suggest to uninstall it, some are really nasty. But those have all been patched as far as I know. This new thing can't even be confirmed by the VLC developers.

Yes, I remember installing that update somewhere during June.
And today I found German media headlines full of the matter, mentioning 3.0.7.1 as the problem. And now America seems to tune in.
So lets get some popcorn and watch the show...