steven36 Posted July 21, 2019 Share Posted July 21, 2019 A German cybersecurity agency, CERT-Bund, which is responsible for organising the country's response to any computer emergencies, has recently discovered what it describes as a critical flaw in the popular VLC Media Player. VLC is known to be a highly compatible media player, and thus boasts an impressive total downloads of over 3 billion, making this vulnerability all the more dangerous. CERT-Bund classified the vulnerability, officially logged as CVE-2019-13615, to be a "High" (Level 4) exploit, which is the second-highest risk assessment level by the agency. The exploit is rather nasty and allows attackers to not only execute code remotely but also allows for unauthorised disclosure of information, unauthorised modification of files and disruption of service. VLC is currently in the process of creating a fix, which can be seen on its website here. However, the ticket shows work on the fix is only 60% complete and there's no ETA on when it might be complete. CERT-Bund says there are no known cases where the exploit has actually been used by attackers, but it might be a good idea to steer clear of VLC for the time being, until the exploit is officially patched. We've reached out to Videolan for more information about the matter, and for an estimate of when a fix might become available. VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp. Source Link to comment Share on other sites More sharing options...
Karlston Posted July 24, 2019 Share Posted July 24, 2019 Confusion about a recently disclosed vulnerability in VLC Media Player Reports started to emerge on the Internet about a critical security vulnerability in the popular multimedia player VLC Media Player. Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End Gizmodo's Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist. The bug report, filed under CVE-2019-13615, rates the issue as critical and states that it affects VLC Media Player 3.0.7.1 and previous versions of the media player. All desktop versions of VLC Media Player, available for Windows, Linux and Mac OS X, are affected by the issue according to the description. An attacker could execute code remotely on affected devices if the vulnerability is exploited successfully according to the bug report. The description of the issue is technical, but it provides valuable information about the vulnerability nevertheless: VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp. The vulnerability can only be exploited if users open specifically prepared files using VLC Media Player. A sample media file that uses the mp4 format is attached to the bug track listing which appears to confirm this. VLC engineers have ad difficulties reproducing the issue that was filed on the official bug tracking site four weeks ago. Project lead Jean-Baptiste Kempf posted yesterday that he could not reproduce the bug as it did not crash VLC at all. Others, e.g. Rafael Rivera, could not reproduce the issue on several VLC Media Player builds as well. VideoLAN went to Twitter to to shame the reporting organizations MITRE and CVE. Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly... Oh, btw, this is not a VLC vulnerability... The organizations did not inform VideoLAN about the vulnerability in advanced according to VideoLAN's post on Twitter. What VLC Media Player users can do The problems that engineers and researchers have to replicate the issue makes it quite the puzzling affair for users of the media player. Is VLC Media Player safe to use in the meantime because the issue is not as severe as initially suggested or not a vulnerability at all? It may take a while before things get sorted out. Users could use a different media player in the meantime or trust VideoLAN's assessment of the issue. It is always a good idea to be careful when it comes to the execution of files on systems, especially when they come from the Internet and there from sources that cannot be trusted 100%. Source: Confusion about a recently disclosed vulnerability in VLC Media Playe (gHacks - Martin Brinkmann) Link to comment Share on other sites More sharing options...
Jordan Posted July 24, 2019 Share Posted July 24, 2019 Never liked this crap anyway! There are way more better players out there! Link to comment Share on other sites More sharing options...
steven36 Posted July 24, 2019 Author Share Posted July 24, 2019 17 minutes ago, Jordan said: Never liked this crap anyway! There are way more better players out there! Only thing i use it for is to stream iptv I have addon in Firefox that capture the stream then I put the link in VLC and stream it and you can even record your show to x264 mp4 but as far as watching videos locally i don't use it for that . Only Kodi and VLC can handle these kind of streams and since the links expire after so many hours it to much of a hassle to load in kodi. Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 6 hours ago, Karlston said: Confusion about a recently disclosed vulnerability in VLC Media Player The bug still exist in Ubuntu 18.04 and below and Debian stretch (2017) is vulnerable, buster is not. even though VLC gets updated if you use a ppa or what ever VLC uses libebml didn't get updated on LTS so it still vulnerable I fixed mine by back porting it from upstream myself . There seems to be a lack of commutation from VLC when they found the bug . throwaway_391 13 hours ago [-] Most / all software has a disclosure policy, send your vulns privately and provide/negotiate a public disclosure date. Not doing so is an asshole move. In this case, the solution would be to track down distributions which did not package the software and (privately) disclose to them that the relevant lib needs updating. It was a VLC bug they didn't notify Ubuntu or Debian to update the libebm or no CVE for libebml was ever published so they say what want but it' still VLC at fault , I don't like VLC they have very slow development and upgrading there releases on Ubuntu have always sucked , they have so much holes in there software Ubuntu shouldn't ship there junk player and replace it with mpv like Ubuntu Budgie does. I'm glad you posted it it help me fix that security vulnerability on mine . It's a not Windows bug anymore since 2018 it only a Linux bug only on some versions . Link to comment Share on other sites More sharing options...
nsan3 Posted July 25, 2019 Share Posted July 25, 2019 So like do I need to update VLC to a particular version or can I leave it since am on Win10? Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 22 minutes ago, nsan3 said: So like do I need to update VLC to a particular version or can I leave it since am on Win10? You should be fine as far as Windows 10 is concerned tell they find the next bugs and have to update VLC again . I'ts bug prone software, VLC packages there own libraries on Windows so its patched . They is a upside and a downside to it if a package use it own libraries or not and one downside is if it has a bug everyone is infected by the bug that uses there packages .That why there is a argument on Linux about it, it happen before . But another downside is a distro may not catch the bug and update the bug if the vendors like VLC don't notify them. the upside is not using there packages could prevent a bug , but this not the case here VLC package was a better choice tell the next bugs is found in it. Link to comment Share on other sites More sharing options...
l0veruski Posted July 25, 2019 Share Posted July 25, 2019 here some info about it https://trac.videolan.org/vlc/ticket/22474#comment:26 From that link “This does not crash a normal release of VLC 3.0.7.1” “If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.” “Sorry, but this bug is not reproducible and does not crash VLC at all.” Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 6 hours ago, l0veruski said: your (fake) news sources.” It was a Misclassification of Bug and Threat There and and actual bug in LTS Linux distros still . UPDATE 20190724: VLC has responded to the claimed security issue with a denial that its software is affected, placing the blame on an outdated third-party library shipped with selected operating systems and stating that the security researcher did not follow best practice. 'About the "security issue" on #VLC : VLC is not vulnerable,' the developers write on the official VideoLAN Twitter account. 'tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim. 'So, a reporter, opened a bug on our bugtracker, which is outside of the reporting policy, aka, mail us in private on the security alias. Of course, our bugtracker is public. We could not, of course reproduce the issue, and tried to contact the security researcher, in private. The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and clearly has not all the updated libraries. But did not answer to our questions. For whatever reason, unknown to us, @MITREcorp decided to issue a CVE, without talking to us. This is in direct violation of their own policies. 'This is not the first time that @MITREcorp does that. In fact, they NEVER EVER contact us when they find security issues on VLC, and we always discover that after they are public, when a user or a distribution asks us. When we complained, and we asked if we could manage our own CVE (like another CNA), we had no answer and @usnistgov NVD told us that they basically couldn't do anything for us, not even fixing the wrong information. And this has been going on for years: almost all CVE on VLC have completely insane CVSS, which brings articles like the one we've seen. Any non-exploitable read overflow get CVSS of 9.8, like VLC is a server and you could do RCE and compromised the machine, while most of the time, the issue is a crash, often not exploitable, from a local file that the user HAS to open manually. And of course, they are never corrected.' Those who are affected by the bug are advised to check that they are running an up-to-date copy of the libebml library, or at least a version higher than 1.3.5, rather than concerning themselves with their VLC version, which should be the case for all but selected Linux distributions whose packages were locked down more than 16 months ago. Those on Long Term Support (LTS) distributions which still ship the vulnerable library will need to manually upgrade or wait for a backport to be released by their distribution's maintainer. https://bit-tech.net/news/tech/software/vlc-player-hit-by-buffer-overflow-vulnerability/1/ The news done nothing but follow what MITREcorp said when they put out CVE-2019-13615 without talking to VLC 1st . CVE is what everyone follows so the news was just posting what was reported , Well VLC had over a year to tell Debian and Ubuntu about libebml and didn't . They wait tell after the fact the Media slammed them to disclose WTF is VLC problem with being transparent about bugs to vendors who ship there software ? Windows don't ship it it's something you install on it on your own accord , Only Linux ships with it .They deserved to be to be slammed but it's just unfortunate it was for the wrong thing. It was not tell they released CVE-2019-13615 Debian and Ubuntu found out about it . If it was not for that CVE they wouldnt be fixing it at all. https://security-tracker.debian.org/tracker/source-package/libebml https://trac.videolan.org/vlc/ticket/22474 Issue was originally reported to vlc project, but the underlying issue is found in the libebml library, fixed upstream in 1.3.6. No information on details. https://security-tracker.debian.org/tracker/CVE-2019-13615 More infos here on them working back porting the fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932241 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13615.html VLC and there fanboys is just trying to place the blame on everyone else , but VLC track record of bugs tells another story and now to top it all off they not reporting bugs to vendors like they should and cry about it when the blows up in there face!!! how do you patch there software if VLC never discloses the library that needs to be patched? As far as I know only there software was effected by this. If they never would of released CVE-2019-13615 I would never known to fix it myself. At the rate VLC is going they may as well close the source . It took 18 mths for the bug in libebml to be reported to linux distros and still it was not VLC who disclosed it was MITREcorp who did . Link to comment Share on other sites More sharing options...
mp68terr Posted July 25, 2019 Share Posted July 25, 2019 Where is this libebml supposed to be located? I don't seem to find it in the lib directory (mint 18.3) Missing voidtools' everything. Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 59 minutes ago, mp68terr said: Where is this libebml supposed to be located? I don't seem to find it in the lib directory (mint 18.3) Why are you looking in the directory? use synaptic package manager instead then download from upstrem and replace it. fixed version x64 http://launchpadlibrarian.net/368704023/libebml4v5_1.3.6-2_amd64.deb fixed version x86 http://launchpadlibrarian.net/368703953/libebml4v5_1.3.6-2_i386.deb On Windows libebml can't even be seen or replaced like it can on Linux because it's complied into the software . So if it gets a bug in it your just screwed tell VLC updates it . It also has other bugs in newer versions that are not security related , That why Linux Distros wait tell a bug is reported to fix something . Linus motto is if it not broke why fix it? That why VLC is bug ridden crap they fix way more security bugs than they do quality bugs. When they fix security bugs they just create more and more quality bugs! Here's another flavor of Ubuntu who seen the light Why Ubuntu MATE 19.10 Is Ditching VLC for GNOME MPV https://www.omgubuntu.co.uk/2019/06/ubuntu-mate-19-10-mpv-vlc Link to comment Share on other sites More sharing options...
mkc21 Posted July 25, 2019 Share Posted July 25, 2019 what they meant was: this flaw is already useless for us so you can finally fix it (we know of others anyways) Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 2 hours ago, mkc21 said: what they meant was: this flaw is already useless for us so you can finally fix it (we know of others anyways) I don't care what they meant It's just 1 out of a 1000 reasons people should not use it to watch videos local on linux . 1.On Linux, VLC FFMPEG , often lags when it comes to supporting the newest codecs that Just Work™ on Windows, and didn't have support for using GStreamer plugins for the longest time, making it more complicated for end users to add patented codecs. 2.We're in a new generation of video tech that VLC on Linux just doesn't work with yet. VLC is just fine for stuff from 2006, but worthless for stuff from 2016. Use it on Windows and it pretty much works because support is already built in via DirectX, while Linux is trial and error. (Mostly error!) 3. SMPlayer frontend for MPlayer and MPV provides a better Linux experience than VLC in situations where you want a UI... that said, in most situations. 4. VLC has worse performance when jumping back/forward while playing FullHD/UHD movies. 5.The defaults for MPV are rather good. I'd imagine that the biggest issue is the difference between VDPAU and NVDEC, because VDPAU doesn't support HEVC, and is necessary for older Nvidia graphics, as well as older versions without NVDEC support enabled. This also affects AMD graphics, because the also support VDPAU, but for the same reason (and that VDPAU is otherwise dead) are better with VA-API.Really, the kind of people who are excited about MPV are the ones wanting the best video player. Those excited about VLC want the best video player application. It's hard to argue against the reality that MPV plays everything (except dvd/bluray menus, which don't strictly qualify as video) better than VLC, VLC is friendlier, for sure(but if you use SMplayer and mpv this is not true), but if you want to do anything halfway non-standard you'll start leaning on MPV. 6.The Actual Truth - VLC is nothing but a wrapper for ffmpeg codecs. So if you are l33t enough, you can compile your own ffmpeg which might result in performance that is at least 100 times better than VLC . Even on windows most every other player out preforms it. People just use it for it's name. 7. VLC really should do more frequent releases. Releasing a new version after 20k commits is _not_ normal. Why are you trying to defend some dev that writes 20k commits before they release a better version ? i was beta testing 4 RC and updates started becoming non existent because there builds always fail when they update them so i switch back to stable. https://launchpad.net/~videolan/+archive/ubuntu/master-daily/+packages VLC is the exact opposite on Linux of what it is on Windows . On Windows people use it because you don't need Codecs . But on Linux you have install all kinds of codecs and to even try to make it work right . Like something that was on Windows back in the early 2000s .Some crap players like zoom player and BS player still require codecs on windows. MPV don't require codecs on Linux Optionally you can use a front-end like SMPlayer . Gnome MPV , etc if you don't want to fool with command line to use all it's features . SMPlayer being better built than Gnome is because it's QT and just works is the best front-end for MPV . But MPV works fine out of the box as it is . Also optionally you can also use YouTube-DL with it to stream from lots of video sites. It will play anything you throw on it with very little cpu usage compared to others and that's even true on Windows because i switch from Potplayer to SMplayer on Windows to get better playback. 🤣 Link to comment Share on other sites More sharing options...
mp68terr Posted July 25, 2019 Share Posted July 25, 2019 1 hour ago, steven36 said: Why are you looking in the directory? Because it's usually what people do in order to check the version/properties of the file Anyway will get the fixed version from your links. Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 11 minutes ago, mp68terr said: Because it's usually what people do in order to check the version/properties of the file Anyway will get the fixed version from your links. synaptic package manager tells you the version that's installed . Linux is not Windows were you need to do that to find such info. Ypu can look at the properties of the file with synaptic package manager even . 1st thing i do when i install Linux is install it , but i think its a default app on Linux Mint. That how i got to know it was using it on Linux Mint in 2015. Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 2 hours ago, mp68terr said: All you need to do sudo apt-get update now Ubuntu just fixed all bugs were in there old version in LTS. I'm using Jonathon F ppa so i already have the new one plus other newer codecs i need from the ppa, https://launchpad.net/ubuntu/+source/vlc/3.0.7.1-0ubuntu18.04.1 https://launchpad.net/ubuntu/bionic/+source/libebml So you should remove 1.3.6-2 if you done upgraded and install x64 https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/17316173/+files/libebml4v5_1.3.5-2ubuntu0.1_amd64.deb x86 https://launchpad.net/ubuntu/+source/libebml/1.3.5-2/+build/13657775/+files/libebml4v5_1.3.5-2_i386.deb you can remove 1.3.6-2 with synaptic package manger and download and install ibebml4v5_1.3.5-2 with synaptic package. Then close synaptic package manger then sudo apt-get update && sudo apt-get install vlc in your terminal and your good changelog https://launchpad.net/ubuntu/bionic/+source/libebml/+changelog advisories https://linuxsecurity.com/advisories/ubuntu/ubuntu-4074-1-vlc-vulnerabilities-11-07-03 Link to comment Share on other sites More sharing options...
mp68terr Posted July 25, 2019 Share Posted July 25, 2019 56 minutes ago, steven36 said: install ibebml4v5_1.3.5-2 Updated the library. Looks like the old one was 1.3.3. Edit: the update manager wants to go back to it (1.3.3-1). Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 11 minutes ago, mp68terr said: Updated the library. Looks like the old one was 1.3.3. You said you was using Ubuntu Xenial version of Linux Mint the update for it is libebml 1.3.3-1 X64 https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/17316179/+files/libebml4v5_1.3.3-1ubuntu0.1_amd64.deb X86 https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/17316182/+files/libebml4v5_1.3.3-1ubuntu0.1_i386.deb Changelog https://launchpad.net/ubuntu/xenial/+source/libebml/+changelog Link to comment Share on other sites More sharing options...
mp68terr Posted July 25, 2019 Share Posted July 25, 2019 4 minutes ago, steven36 said: You siad you was using Ubuntu Xenial version of Linux Mint the update for it is libebml 1.3.3-1 Yes, xenial here. Libebml is supposed to be 1.3.3-1. Isn't it vulnerable according to one of the previous post? Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 5 minutes ago, mp68terr said: Yes, xenial here. Libebml is supposed to be 1.3.3-1. Isn't it vulnerable according to one of the previous post? 1.3.3-1 is a update from 4 hours ago its the patched version so it fixes the bug. https://launchpad.net/ubuntu/+source/libebml Bout if you don't use https://launchpad.net/~jonathonf/+archive/ubuntu/vlc-3 https://launchpad.net/~jonathonf/+archive/ubuntu/vlc-3/+packages you have and outdated version of vlc don't you full of other security problems ? because they just only pushed the new version of vlc to 18.0.4 /Linux Mint 19 today i don't see it for Xenial version Link to comment Share on other sites More sharing options...
mp68terr Posted July 25, 2019 Share Posted July 25, 2019 2 minutes ago, steven36 said: 1.3.3-1 is a update from 4 hours ago its the patched version so it fixes the bug. Oh, ok! Did not check when it was updated. Good to know that it fixes the bug. AFAIK, the latest vlc version proposed for xenial is 2.2.2 in the software manager, and can update to 2.2.7. Link to comment Share on other sites More sharing options...
steven36 Posted July 25, 2019 Author Share Posted July 25, 2019 1 minute ago, mp68terr said: Oh, ok! Did not check when it was updated. Good to know that it fixes the bug. AFAIK, the latest vlc version proposed for xenial is 2.2.2 in the software manager, and can update to 2.2.7. You can update to vlc 3.0.7.1 on yours by using these install notes http://ubuntuhandbook.org/index.php/2018/05/install-vlc-3-0-2-ubuntu-16-04-ppa/ Only difference is mine 18.04 i don't need meson like your does , Snap https://snapcraft.io/vlc And Flatpac gets updated automatically https://flathub.org/apps/details/org.videolan.VLC Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.