German cybersecurity agency identifies critical flaw in VLC Media Player

[steven36]

A German cybersecurity agency, CERT-Bund, which is responsible for organising the country's response to any computer emergencies, has recently discovered what it describes as a critical flaw in the popular VLC Media Player.

 

 

VLC is known to be a highly compatible media player, and thus boasts an impressive total downloads of over 3 billion, making this vulnerability all the more dangerous. CERT-Bund classified the vulnerability, officially logged as CVE-2019-13615, to be a "High" (Level 4) exploit, which is the second-highest risk assessment level by the agency.

 

The exploit is rather nasty and allows attackers to not only execute code remotely but also allows for unauthorised disclosure of information, unauthorised modification of files and disruption of service.

 

VLC is currently in the process of creating a fix, which can be seen on its website here. However, the ticket shows work on the fix is only 60% complete and there's no ETA on when it might be complete. CERT-Bund says there are no known cases where the exploit has actually been used by attackers, but it might be a good idea to steer clear of VLC for the time being, until the exploit is officially patched. We've reached out to Videolan for more information about the matter, and for an estimate of when a fix might become available.

 

VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.

 

 

Source

[Karlston]

Confusion about a recently disclosed vulnerability in VLC Media Player

Reports started to emerge on the Internet about a critical security vulnerability in the popular multimedia player VLC Media Player.

 

Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End

 

Gizmodo's Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.

 

The bug report, filed under CVE-2019-13615, rates the issue as critical and states that it affects VLC Media Player 3.0.7.1 and previous versions of the media player.

 

All desktop versions of VLC Media Player, available for Windows, Linux and Mac OS X, are affected by the issue according to the description. An attacker could execute code remotely on affected devices if the vulnerability is exploited successfully according to the bug report.

 

 

The description of the issue is technical, but it provides valuable information about the vulnerability nevertheless:

VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.

The vulnerability can only be exploited if users open specifically prepared files using VLC Media Player. A sample media file that uses the mp4 format is attached to the bug track listing which appears to confirm this.

 

VLC engineers have ad difficulties reproducing the issue that was filed on the official bug tracking site four weeks ago.

 

Project lead Jean-Baptiste Kempf posted yesterday that he could not reproduce the bug as it did not crash VLC at all. Others, e.g. Rafael Rivera, could not reproduce the issue on several VLC Media Player builds as well.

 

VideoLAN went to Twitter to to shame the reporting organizations MITRE and CVE.

Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly...

Oh, btw, this is not a VLC vulnerability...

The organizations did not inform VideoLAN about the vulnerability in advanced according to VideoLAN's post on Twitter.

 

What VLC Media Player users can do

The problems that engineers and researchers have to replicate the issue makes it quite the puzzling affair for users of the media player. Is VLC Media Player safe to use in the meantime because the issue is not as severe as initially suggested or not a vulnerability at all?

 

It may take a while before things get sorted out. Users could use a different media player in the meantime or trust VideoLAN's assessment of the issue. It is always a good idea to be careful when it comes to the execution of files on systems, especially when they come from the Internet and there from sources that cannot be trusted 100%.

 

 

 

Source: Confusion about a recently disclosed vulnerability in VLC Media Playe (gHacks - Martin Brinkmann)

[Jordan]

Never liked this crap anyway!

There are way more better players out there!

[steven36]

17 minutes ago, Jordan said:

Never liked this crap anyway!

There are way more better players out there!

Only thing i use it for is to stream iptv  I have addon in Firefox that capture the stream  then I put the link in VLC and stream it and you can even record your show to x264 mp4  but as far as watching videos locally  i don't use it for that . Only Kodi   and VLC can handle  these kind of streams  and since the links expire  after so many hours it to much of a hassle to load in kodi.

 

[steven36]

6 hours ago, Karlston said:

Confusion about a recently disclosed vulnerability in VLC Media Player

The bug still exist in  Ubuntu 18.04  and  below and Debian stretch (2017) is vulnerable, buster is not.   even though VLC  gets updated if you use a ppa or what ever VLC uses libebml  didn't get updated on LTS so it still vulnerable  I fixed mine by back porting it  from upstream myself  . There seems to be a lack of commutation  from VLC when they found the bug .

 

  throwaway_391 13 hours ago [-]
Most / all software has a disclosure policy, send your vulns privately and provide/negotiate a public disclosure date.

Not doing so is an asshole move.

In this case, the solution would be to track down distributions which did not package the software and (privately) disclose to them that the relevant lib needs updating.

 

It was a VLC bug they didn't notify Ubuntu  or Debian to update the libebm or no CVE for libebml was ever published  so they say what want but it'  still VLC at fault  , I don't like VLC they have very slow development and upgrading there releases on Ubuntu have always sucked , they have so much holes in there software Ubuntu shouldn't ship there junk player and replace it with mpv  like Ubuntu Budgie does.

 

I'm glad  you posted it it help me fix  that  security vulnerability on mine .

 

It's  a not Windows  bug anymore since 2018  it  only a Linux bug only  on some versions .

[nsan3]

So like do I need to update VLC to a particular version or can I leave it since am on Win10?

[steven36]

22 minutes ago, nsan3 said:

So like do I need to update VLC to a particular version or can I leave it since am on Win10?

You should be fine as far as  Windows 10  is concerned tell they find the next bugs and have to update VLC again . I'ts bug prone software,  VLC packages there  own libraries on Windows so its patched . They is a upside and a downside to it if a package use it own libraries or not and one downside  is if it has a bug everyone is infected  by the bug that uses there packages .That why there is a argument on Linux about it, it happen before . But another downside is a distro may not catch the bug and update the bug if the vendors like VLC don't notify them. the upside is not using there packages could prevent a bug , but  this not the case here VLC  package was a better choice tell the next bugs is found in it. 

[l0veruski]

here some info about it

https://trac.videolan.org/vlc/ticket/22474#comment:26

From that link

“This does not crash a normal release of VLC 3.0.7.1”

“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.”

“Sorry, but this bug is not reproducible and does not crash VLC at all.”

[steven36]

6 hours ago, l0veruski said:

your (fake) news sources.”

 

It was  a Misclassification of Bug and Threat  There and and actual bug in LTS Linux distros still  .

 

UPDATE 20190724:

VLC has responded to the claimed security issue with a denial that its software is affected, placing the blame on an outdated third-party library shipped with selected operating systems and stating that the security researcher did not follow best practice. 'About the "security issue" on #VLC : VLC is not vulnerable,' the developers write on the official VideoLAN Twitter account. 'tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.

 

'So, a reporter, opened a bug on our bugtracker, which is outside of the reporting policy, aka, mail us in private on the security alias. Of course, our bugtracker is public. We could not, of course reproduce the issue, and tried to contact the security researcher, in private. The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and clearly has not all the updated libraries. But did not answer to our questions. For whatever reason, unknown to us, @MITREcorp  decided to issue a CVE, without talking to us. This is in direct violation of their own policies.

 

'This is not the first time that @MITREcorp does that. In fact, they NEVER EVER contact us when they find security issues on VLC, and we always discover that after they are public, when a user or a distribution asks us. When we complained, and we asked if we could manage our own CVE (like another CNA), we had no answer and @usnistgov NVD told us that they basically couldn't do anything for us, not even fixing the wrong information. And this has been going on for years: almost all CVE on VLC have completely insane CVSS, which brings articles like the one we've seen. Any non-exploitable read overflow get CVSS of 9.8, like VLC is a server and you could do RCE and compromised the machine, while most of the time, the issue is a crash, often not exploitable, from a local file that the user HAS to open manually. And of course, they are never corrected.'

 

Those who are affected by the bug are advised to check that they are running an up-to-date copy of the libebml library, or at least a version higher than 1.3.5, rather than concerning themselves with their VLC version, which should be the case for all but selected Linux distributions whose packages were locked down more than 16 months ago. Those on Long Term Support (LTS) distributions which still ship the vulnerable library will need to manually upgrade or wait for a backport to be released by their distribution's maintainer.

 

https://bit-tech.net/news/tech/software/vlc-player-hit-by-buffer-overflow-vulnerability/1/

 

The news done nothing but follow  what MITREcorp said when they put out  CVE-2019-13615 without talking to VLC 1st . CVE is what everyone follows  so the news was just posting what was reported , Well VLC had over a year to tell Debian and Ubuntu about libebml and didn't . They wait tell  after the fact  the Media slammed them  to disclose WTF is VLC problem with being transparent about bugs to vendors who ship there software ? Windows don't ship it it's something you install on it on your own accord , Only Linux ships with it  .They deserved to be  to be slammed but it's just unfortunate it was for the wrong thing.

 

It was not tell  they released CVE-2019-13615  Debian and Ubuntu found  out about it . If it was not for that CVE they wouldnt be  fixing it at all.

https://security-tracker.debian.org/tracker/source-package/libebml

https://trac.videolan.org/vlc/ticket/22474
Issue was originally reported to vlc project, but the underlying issue is
found in the libebml library, fixed upstream in 1.3.6. No information on
details.
https://security-tracker.debian.org/tracker/CVE-2019-13615

More infos here on them working back porting  the fix

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932241

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13615.html

 

VLC  and there fanboys is just trying to place the blame on everyone else , but VLC track record of bugs tells another story and now to top it all off  they not reporting bugs to vendors like they should and cry about it  when the  blows up in there face!!! how do you patch there software if VLC never discloses the  library that needs to be patched? As far as I know only there software was effected by this. If they never would of released  CVE-2019-13615  I would never known to fix it myself.  At the rate VLC is going they may as well close the  source   . It took  18 mths for the bug in libebml to be reported to linux distros  and still it was not VLC who disclosed it was MITREcorp who did  .

[mp68terr]

Where is this libebml supposed to be located?

I don't seem to find it in the lib directory (mint 18.3) 

Missing voidtools' everything.

[steven36]

59 minutes ago, mp68terr said:

Where is this libebml supposed to be located?

I don't seem to find it in the lib directory (mint 18.3) 

Why are you looking in the directory? use synaptic package manager instead  then download from upstrem and replace it.

 

fixed version x64

http://launchpadlibrarian.net/368704023/libebml4v5_1.3.6-2_amd64.deb

 

fixed version x86

http://launchpadlibrarian.net/368703953/libebml4v5_1.3.6-2_i386.deb

 

On Windows libebml can't even be seen or replaced like it can on Linux because it's complied  into  the software . So if it gets a bug in it your just screwed tell VLC updates it . It also has  other  bugs in newer versions that are not security related , That why Linux Distros  wait tell  a bug is reported  to fix something  . Linus motto is if it not broke why fix it?  That why VLC is bug ridden crap they fix way more security bugs than they do quality bugs.  When they fix security bugs they just create more and more quality bugs!

 

Here's another flavor of Ubuntu who seen the light

 

Why Ubuntu MATE 19.10 Is Ditching VLC for GNOME MPV

https://www.omgubuntu.co.uk/2019/06/ubuntu-mate-19-10-mpv-vlc

 

[mkc21]

what they meant was: this flaw is already useless for us so you can finally fix it (we know of others anyways)

[steven36]

2 hours ago, mkc21 said:

what they meant was: this flaw is already useless for us so you can finally fix it (we know of others anyways)

I don't care what they meant  It's just  1 out of a 1000 reasons people should not use it  to watch videos local on linux .

1.On Linux, VLC FFMPEG , often lags when it comes to supporting the newest codecs that Just Work™ on Windows, and didn't have support for using GStreamer plugins for the longest time, making it more complicated for end users to add patented codecs. 

2.We're in a new generation of video tech that VLC on Linux just doesn't work with yet. VLC is just fine for stuff from 2006, but worthless for stuff from 2016. Use it on Windows and it pretty much works because support is already built in via DirectX, while Linux is trial and error. (Mostly error!)

3. SMPlayer frontend for MPlayer and MPV provides a better Linux experience than VLC in situations where you want a UI... that said, in most situations.

4. VLC has worse performance when jumping back/forward while playing FullHD/UHD movies.

5.The defaults for MPV are rather good. I'd imagine that the biggest issue is the difference between VDPAU and NVDEC, because VDPAU doesn't support HEVC, and is necessary for older Nvidia graphics, as well as older versions without NVDEC support enabled. This also affects AMD graphics, because the also support VDPAU, but for the same reason (and that VDPAU is otherwise dead) are better with VA-API.Really, the kind of people who are excited about MPV are the ones wanting the best video player. Those excited about VLC want the best video player application. It's hard to argue against the reality that MPV plays everything (except dvd/bluray menus, which don't strictly qualify as video) better than VLC, VLC is friendlier, for sure(but if you use SMplayer and mpv this is not true), but if you want to do anything halfway non-standard you'll start leaning on MPV.

6.The Actual Truth - VLC is nothing but a wrapper for ffmpeg codecs. So if you are l33t enough, you can compile your own ffmpeg which might result in performance that is at least 100 times better than VLC .  Even on windows most every other player out preforms it. People just use it for it's name.

7. VLC really should do more frequent releases. Releasing a new version after 20k commits is _not_ normal.

 

Why are you trying to defend some dev  that writes 20k commits before they release a better version ? i was beta testing 4 RC   and updates started becoming non existent  because there builds always fail when they update them so i switch back to stable.

https://launchpad.net/~videolan/+archive/ubuntu/master-daily/+packages

 

VLC is the exact opposite on Linux of what it is on Windows . On Windows  people use it because you don't need Codecs  . But on Linux you have install all kinds of codecs  and   to even try to make it work right . Like something  that was on Windows back in the early 2000s .Some crap players like zoom player  and BS player still require codecs on windows.  MPV  don't require codecs  on Linux  Optionally you can use  a front-end like SMPlayer . Gnome MPV  , etc  if you don't want to fool with command line to use all it's features . SMPlayer being better built than Gnome is because it's QT and just works  is  the best front-end  for MPV  . But MPV  works fine out of the box as it is . Also optionally you can also use YouTube-DL with it to stream from lots of video sites. It will play anything you throw on it with very little cpu usage compared  to others and that's even true on Windows because i switch from Potplayer to  SMplayer on Windows  to get better playback.

🤣

[mp68terr]

1 hour ago, steven36 said:

Why are you looking in the directory?

Because it's usually what people do in order to check the version/properties of the file 

Anyway will get the fixed version from your links.

[steven36]

11 minutes ago, mp68terr said:

Because it's usually what people do in order to check the version/properties of the file 

Anyway will get the fixed version from your links.

synaptic package manager tells you the version  that's installed . Linux is not Windows  were you need to do that  to find such info. Ypu can look at the properties of the file with synaptic package manager even . 1st thing i do when i install Linux is install it , but i think its a default app on Linux Mint. That how i got to know it was using it on Linux Mint in 2015.

 

[steven36]

2 hours ago, mp68terr said:

 

All you need to do sudo apt-get update now Ubuntu just  fixed all bugs were in there old version in LTS. I'm using Jonathon F ppa so i already have the new one plus other newer codecs i need  from the ppa,

https://launchpad.net/ubuntu/+source/vlc/3.0.7.1-0ubuntu18.04.1

https://launchpad.net/ubuntu/bionic/+source/libebml

 

So you should remove 1.3.6-2 if you done upgraded and install

 

x64

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/17316173/+files/libebml4v5_1.3.5-2ubuntu0.1_amd64.deb

 

 x86

https://launchpad.net/ubuntu/+source/libebml/1.3.5-2/+build/13657775/+files/libebml4v5_1.3.5-2_i386.deb

 

you can remove 1.3.6-2 with synaptic package manger and download  and install ibebml4v5_1.3.5-2 with  synaptic package.

 

Then close synaptic package manger then

sudo apt-get update && sudo apt-get install vlc  in your terminal and your good

 

changelog

https://launchpad.net/ubuntu/bionic/+source/libebml/+changelog

advisories

https://linuxsecurity.com/advisories/ubuntu/ubuntu-4074-1-vlc-vulnerabilities-11-07-03

[mp68terr]

56 minutes ago, steven36 said:

install ibebml4v5_1.3.5-2

Updated the library. Looks like the old one was 1.3.3.

 

Edit: the update manager wants to go back to it (1.3.3-1).

[steven36]

11 minutes ago, mp68terr said:

Updated the library. Looks like the old one was 1.3.3.

You said you was using Ubuntu Xenial version of Linux Mint the update for it is libebml 1.3.3-1

 

X64

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/17316179/+files/libebml4v5_1.3.3-1ubuntu0.1_amd64.deb

 

X86

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/17316182/+files/libebml4v5_1.3.3-1ubuntu0.1_i386.deb

 

Changelog

https://launchpad.net/ubuntu/xenial/+source/libebml/+changelog

 

 

[mp68terr]

4 minutes ago, steven36 said:

You siad you was using Ubuntu Xenial version of Linux Mint the update for it is libebml 1.3.3-1

Yes, xenial here. Libebml is supposed to be 1.3.3-1. Isn't it vulnerable according to one of the previous post?

[steven36]

5 minutes ago, mp68terr said:

Yes, xenial here. Libebml is supposed to be 1.3.3-1. Isn't it vulnerable according to one of the previous post?

1.3.3-1 is a update from 4 hours ago its the patched version so it fixes the bug.

https://launchpad.net/ubuntu/+source/libebml

 

Bout if you don't use

https://launchpad.net/~jonathonf/+archive/ubuntu/vlc-3

https://launchpad.net/~jonathonf/+archive/ubuntu/vlc-3/+packages

 

you have and outdated version of vlc  don't you full of other security problems ?  because they just only pushed the new version of vlc to 18.0.4 /Linux Mint 19 today i don't see it for Xenial version

 

 

[mp68terr]

2 minutes ago, steven36 said:

1.3.3-1 is a update from 4 hours ago its the patched version so it fixes the bug.

Oh, ok! Did not check when it was updated. Good to know that it fixes the bug.

 

AFAIK, the latest vlc version proposed for xenial is 2.2.2 in the software manager, and can update to 2.2.7.

[steven36]

1 minute ago, mp68terr said:

Oh, ok! Did not check when it was updated. Good to know that it fixes the bug.

 

AFAIK, the latest vlc version proposed for xenial is 2.2.2 in the software manager, and can update to 2.2.7.

You can update to  vlc 3.0.7.1 on yours by using these install notes

http://ubuntuhandbook.org/index.php/2018/05/install-vlc-3-0-2-ubuntu-16-04-ppa/

 

Only difference is mine  18.04  i don't need meson like your does ,

Snap

https://snapcraft.io/vlc

 

And Flatpac gets updated automatically

https://flathub.org/apps/details/org.videolan.VLC