VLC And Secunia Fighting Over Vulnerability Reports

← Back to Stories (view on slashdot.org)

VLC And Secunia Fighting Over Vulnerability Reports

Posted by Unknown on Wednesday July 10, 2013 @03:36AM from the fight-fight-fight dept.

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

100 comments

Min score:

Reason:

Sort:

... citation? by Anonymous Coward · 2013-07-10 03:44 · Score: 0

despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

", said so-and-so.
See how that is done?
1. Re:... citation? by dgatwood · 2013-07-10 04:47 · Score: 5, Interesting
  No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:
  
  If the exception itself causes some secret information to be leaked to a log file somewhere. This does not apply because the content being played is owned by the computer's owner, who also owns the log files.
  If the exception causes some component to get freed and you end up with a use-after-free situation (or it causes some process to die and some other process fails to handle that death in a safe manner). Presumably VLC is designed to handle codecs going away, but if not, then that is the exploitable vulnerability, not the exception itself.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
2. Re:... citation? by gandhi_2 · 2013-07-10 05:51 · Score: 1
  
  From a journalistic standpoint, that last sentance DOES need a citation. It stands out even worse because the other statements are well cited.
  
  --
  THL phish sticks
3. Re:... citation? by Anonymous Coward · 2013-07-10 06:23 · Score: 0
  
  No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:
  I'm fairly sure what's happening is that in a 32-bit build it's an integer overflow, whereas in a 64-bit build it doesn't overflow and "just" tries to allocate an unreasonable amount of memory, which throws the exception. (From the blog post, "This uncaught exception makes VLC abort, not execute random code, on my Linux 64bits machine.") So the exception itself isn't exploitable, but under some circumstances something different and exploitable happens instead.
4. Re:... citation? by dgatwood · 2013-07-10 08:28 · Score: 1
  
  If that's what's happening, then yes, that sort of bug is almost always exploitable.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
5. Re:... citation? by hairyfeet · 2013-07-10 09:07 · Score: 1
  
  Not to mention as a guy that gives VLC out to Joe and Jane average I can tell ya VLC is used for local content on a local computer which as you said is all controlled by the one running the video, despite the LAN part of the title nobody I've seen have ever used it for anything but local content. Also I'm at work so can't check ATM but doesn't VLC run in lower rights than the user? i know I've never seen a UAC prompt to use VLC and it has to pop up a UAC to check for updates so if its running in low or limited permissions the best they can do is crash the player.
  In any case i can say i honestly don't care what Securina says, VLC has been one of the most problem free players i have ever encountered in the many many years I've been working in retail, VLC and KLite are my to "go to" when it comes to media on a new install and if the VLC guys say its bullshit I'll give them the benefit of the doubt simply because of how damned solid they have made their player. i have put in content with funky obscure codecs that hasn't been supported by anybody in ages, VLC fired right up and played it without a glitch nor a skip, that means a lot in my position.
  So if any of the VLC devs are reading this there is at least one shop owner that will trust you if you say its bogus, your player has been so solid i even keep it on my service call thumbdrive so its always there if I need it. Great job guys, truly excellent work.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
6. Re:... citation? by hairyfeet · 2013-07-10 09:21 · Score: 3, Informative
  
  Well I'm not a security expert so I can't comment on that, but what I DO have is a shitload of PCs at the shop and I can say that the VLC guy is right, I just tested the Securina "Proof Of Concept" SWF and it don't do shit under VLC. If any Securina fans are here it shows an image, the QT logo, and that's it.
  I tried it on 32bit and 64bit win 7 and even the old XP box in the corner and he's right, first of all VLC won't even open it by default, won't show up in either open with nor any right click menus for that format, so you have to fire up VLC and THEN switch away from media files to all files to even see the thing in VLC and as I said when run? Nothing, hell it didn't even make VLC hang or crash.
  So I'm sorry Securina but if that is your "proof" I gotta throw a flag, bullshit on the field. I haven't got any real old versions of VLC to check what it does on old versions but since VLC has had an updater in place for a couple of years now I can say that I just don't run into anybody running old versions of VLC in the wild so i don't consider that a test worth running.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
7. Re:... citation? by Anonymous Coward · 2013-07-10 09:35 · Score: 0
  
  Is there any reason for you to constantly misspell Secunia?
8. Re:... citation? by dgatwood · 2013-07-10 10:58 · Score: 1
  
  With that said, the exception is not the security hole; the integer overflow is.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
9. Re:... citation? by metrix007 · 2013-07-10 14:16 · Score: 1
  
  Maybe it doesn't work with DEP or ALSR, did you disable them?
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
10. Re:... citation? by metrix007 · 2013-07-10 14:17 · Score: 1
  
  It doesn't run at lower rights than the user, it runs at the same rights as the user. When it needs more rights, that's why you see the UAC prompt.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
11. Re:... citation? by Anonymous Coward · 2013-07-10 15:32 · Score: 0
  
  Or maybe he thought it was Securina that and that he made no mistake at all you idiot.
12. Re:... citation? by hairyfeet · 2013-07-10 18:01 · Score: 2
  
  I figured the old XP box would cover that, its a socket 754 Sempron so there isn't any DEP or ALSR and again, nothing. I also tried it on a 32Bit Conroe Celeron and after reading your post switched off DEP and ASLR and again,nothing.
  Again maybe it did something on some old version which I would consider valid...if it didn't have an updater, but it does and since it updates itself and is free I don't really consider what it did in some old version a valid test. after all if they have no Internet so it can't update the odds they are gonna run into a SWF malware file is pretty much non existent,it'd be like saying a PC that is airgapped is in danger of viruses. This is why i don't bother with tests for malware that require Windows to never be updated because the only ones I see running around with WU turned off are the pirates and if they are smart enough to pirate Windows they ought to be smart enough to update the damned thing without getting bit by WGA.
  As for the AC that wet his panties over how I wrote Secunia? I thought it was Securina, as in Security? Certainly makes more damned sense than what its really called, WTF is a Secunia anyway? If they are just gonna pick a name out of a hat I vote for Petunia, there really ain't enough Petunias in the world.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
13. Re:... citation? by hairyfeet · 2013-07-10 18:07 · Score: 1
  
  But users are run in limited (but not low,which is even more restricted) mode unless they agree to an elevated through a prompt so again I don't see this as a problem, and of the boxes at the shop I tried it on both an old Sempron XP box without DEP or ASLR, a Win 7 32bit Conroe Celeron with both ASLR and DEP on and off, and finally my 64bit home box with ASLR and DEP on...nothing. Their PoC didn't do squat, no crashes, no hangs, nothing.
  So unless they can bring something better than a PoC that I can't get to do shit I'm gonna have to side with the VLC guys. I mean on ALL the systems i tried except for my 64bit home system they don't even have AV installed yet so if it was gonna do anything at all? i gave it the perfect platform.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Not invented here by Anonymous Coward · 2013-07-10 03:48 · Score: 0, Interesting

C'mon Secunia, security isn't about bickering. You don't just throw proof-of-concept at someone and say "FIX IT FIX IT FIX IT" without buying them dinner first.
You'd be surprised by Anonymous Coward · 2013-07-10 03:49 · Score: 0, Funny

What kind of things are exploitable. If the above involves a SEH chain to be invoked on windows it can be exploited.
1. Re:You'd be surprised by Anonymous Coward · 2013-07-10 03:53 · Score: 1
  
  Exceptions aren't exploitable, it's the buffer overflow that lets you write onto the exception chain that is exploitable.
2. Re:You'd be surprised by fnj · 2013-07-10 04:01 · Score: 4, Insightful
  
  What kind of things are exploitable.
  Learn.
  
  If the above involves a SEH chain to be invoked on windows it can be exploited.
  It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.
3. Re:You'd be surprised by Anonymous Coward · 2013-07-10 05:21 · Score: 0
  
  I know of at least two C++ compilers that use SEH to implement C++ exceptions.
  I also know one that doesn't and that essentially means that when I need to pass exceptions between my code and third-party components, I cannot use that compiler.
4. Re:You'd be surprised by Anonymous Coward · 2013-07-10 05:38 · Score: 0
  
  I know of at least two C++ compilers that use SEH to implement C++ exceptions.
  Is the OP is correct about "If the above involves a SEH chain to be invoked on windows it can be exploited"? Because if he is, then surely that means that any exception at all, even something as benign as "the user entered an invalid date", can be a security hole when compiled by one of those compilers?
5. Re:You'd be surprised by Anonymous Coward · 2013-07-10 18:08 · Score: 0
  
  What kind of things are exploitable.
  Learn.
  
  If the above involves a SEH chain to be invoked on windows it can be exploited.
  It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.
  Utter rubbish. Read John Robbins books, and Mark Russinovichs. Ultimately at the lowest level, on Windows ALL exception types are implemented as Win32 structured exceptions...
6. Re:You'd be surprised by Anonymous Coward · 2013-07-10 20:55 · Score: 0
  
  I know of at least two C++ compilers that use SEH to implement C++ exceptions.
  Is the OP is correct about "If the above involves a SEH chain to be invoked on windows it can be exploited"? Because if he is, then surely that means that any exception at all, even something as benign as "the user entered an invalid date", can be a security hole when compiled by one of those compilers?
  No.
  You can exploit SEH by combining it with a buffer overflow vulnerability [SEH has a stack allocated data structure containing code jump pointers, spill the buffer and override the target address so that an exception will jump into your shellcode when searching for catch clauses] but the mechanism itself is simply inefficient and shit, not vulnerable.
7. Re:You'd be surprised by Anonymous Coward · 2013-07-10 21:20 · Score: 0
  
  It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.
  Utter rubbish. Read John Robbins books, and Mark Russinovichs. Ultimately at the lowest level, on Windows ALL exception types are implemented as Win32 structured exceptions...
  The implementation of exceptions in C++ and other programming languages is chosen by the authors of the compiler/interpreter, not John Robbins and Mark Russinovich.
Yet another biased Slashdot story by Sarten-X · 2013-07-10 03:51 · Score: 1, Troll

despite dire warnings from Secunia that it could be exploitable, it most certainly is not.
That depends entirely on what "exploit" means. If VLC is a core part of a media service, calling anything named "terminate" sounds like a recipe for a simple DoS. I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display), but it could easily be the magic under a layer of consultants' bills.
The easy assumption is that any time a program does something that wouldn't be expected, it's exploitable to cause some kind of annoyance. Whether that alone is enough to warrant a fix is a different matter.

--
You do not have a moral or legal right to do absolutely anything you want.
1. Re:Yet another biased Slashdot story by slashmydots · 2013-07-10 04:03 · Score: 1
  
  How is making VLC close a DoS? Just re-open it and don't play the rigged file again.
2. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 04:06 · Score: 5, Insightful
  
  Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.
  VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.
3. Re:Yet another biased Slashdot story by sjames · 2013-07-10 04:11 · Score: 1
  
  Usually exploit and DOS are two separate categories. DOS is limited in it's impact (though it can be a serious problems in some cases) compared to exploit, the ability to use the program to gain privileges and/or run malicious code.
4. Re:Yet another biased Slashdot story by Sarten-X · 2013-07-10 04:13 · Score: 2
  Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.
  More examples I can think of offhand:
  
  Theatre sound effects
  Streaming media servers
  Internet radio
  Public information displays
  Conference and sales presentations
  I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.
  --
  You do not have a moral or legal right to do absolutely anything you want.
5. Re:Yet another biased Slashdot story by bill_mcgonigle · 2013-07-10 04:13 · Score: 1
  
  Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner.
  Is VLC actually exiting? It should put up a "this media file is corrupt" message with perhaps a backtrace under a disclosure pane. But that's a usability issue, not a security one.
  VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank!
  Adjust the squelch on your sarcasm meter. He means that big expensive projects tend to pay exorbitant licensing fees to software companies and don't bother with free software.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
6. Re:Yet another biased Slashdot story by SuricouRaven · 2013-07-10 04:15 · Score: 1
  
  If an attacker can inject their own video stream, they can do far worse things than DoS.
7. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 04:21 · Score: 0
  
  What does VLC do? Play movies/music. What does forcing VLC to close do? Prevent it from playing movies/music. Hence, it is no longer functional to provide its service. That you can very likely restart it doesn't change things.
8. Re:Yet another biased Slashdot story by g0bshiTe · 2013-07-10 04:31 · Score: 5, Funny
  
  It's just important that if two attackers are at it that they don't cross the streams.
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
9. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 04:31 · Score: 3, Insightful
  
  Disrupt that playback, and you have denial of service, period.
  Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.
10. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 04:40 · Score: 0
  
  I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display)
  You'd be surprised. I did some coding not long for a company that makes digital signage system (i.e. stuff like the machines that drive those displays) and they're using a mixture of free software on Windows XP bundled together with a .net front end. VLC had been installed on the system, but had been disabled in favour of a DirectShow-based player for formats where a proper codec could be found.
  (My job was to rewrite under Linux, using gstreamer)
11. Re:Yet another biased Slashdot story by Sarten-X · 2013-07-10 04:41 · Score: 1
  
  The existence of other vulnerabilities is no reason to excuse this one. If that hypothetical ad display runs VLC, but its content is screened using Media Player, a crafted file may work fine and have approved content when checked, but crashes the display in production. This is a good argument for having identical testing and production systems, but that's not always how reality works out.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
12. Re:Yet another biased Slashdot story by gl4ss · 2013-07-10 04:52 · Score: 1
  Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.
  More examples I can think of offhand:
  
  Theatre sound effects
  Streaming media servers
  Internet radio
  Public information displays
  Conference and sales presentations
  I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.
  if you can insert data into the datastream that is streaming into the video decoder .. umm.. then who the fuck cares you can "dos" it by making the decoder crash? you could dos it multiple ways then, like changing the stream to 10000000x10000000 pixel stream of white or whatever.
  if you could run code through it then it would be pretty serious, obviously, but a videostream that crashes it is literally last decades stuff.
  --
  world was created 5 seconds before this post as it is.
13. Re:Yet another biased Slashdot story by gl4ss · 2013-07-10 04:54 · Score: 1
  
  What does VLC do? Play movies/music. What does forcing VLC to close do? Prevent it from playing movies/music. Hence, it is no longer functional to provide its service. That you can very likely restart it doesn't change things.
  actually if you can choose which file/data it tries to decode then you can disrupt the original intended viewing. but there is actually no need for a crash exploit in it then. you could just make it show goatse all day.
  
  --
  world was created 5 seconds before this post as it is.
14. Re:Yet another biased Slashdot story by sjames · 2013-07-10 05:02 · Score: 2
  
  On the other hand, you handed it a bogus video to play. The best it can do is pop up an error message and/or skip it. There is already some degree of disruption inherent in the situation.
15. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 05:14 · Score: 0
  
  VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank!
  You do know what "I don't think" means, right?
16. Re:Yet another biased Slashdot story by F.Ultra · 2013-07-10 05:16 · Score: 1
  
  Becasue if you can make it crash then something else might happen, for example the admin might reach out to it via some remote access method or go there physically which might help you in whatever you are doing.
17. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 05:21 · Score: 0
  
  Or the admin might pee his pants and then on the way to the pants shop to buy more pants get hit by a bus and die.
  THIS IS SERIOUS PEOPLE!!!!!11sqrt(1)
18. Re:Yet another biased Slashdot story by gandhi_2 · 2013-07-10 05:53 · Score: 2
  
  Yes, but for MISSION CRITICAL .mkv playback, VLC just isn't an option.
  Like, say... porn.
  
  --
  THL phish sticks
19. Re:Yet another biased Slashdot story by Sarten-X · 2013-07-10 06:29 · Score: 4, Informative
  
  You jest, but that's a decent example. It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.
  One of my personal favorite exploits involved using a core dump to drop a file into cron.d. The kernel, being ever so helpful, would put the dump into whatever working directory the crashing program was running in. Cron, being ever so helpful, would run all the files in cron.d, and being ever so helpful, would ignore all the badly-malformed data in those files. Put them together, and suddenly any user who can run a program can schedule commands to be run as root.
  As your example shows with ample hyperbole, even a clean termination may be part of a larger plan. Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether... what matters is that all such attack vectors can be blocked by fixing this unexpected behavior.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
20. Re:Yet another biased Slashdot story by hairyfeet · 2013-07-10 09:31 · Score: 1
  
  Except that when i just ran the PoC it didn't crash,hang, throw an exception or do anything else, so i think this entire line of conversation is kinda moot. Then you have to add in the fact that to even get this to play you are gonna have to do things that Joe and jane average aren't even gonna think of, such as bypass the default Windows Open and Open With dialog boxes, fire up VLC, switch VLC from media to "any files" and then and ONLY then go to whatever directory its sitting in and run it.
  Working for normal folks 6 days a week i can tell you the odds of all that occurring are about the same as me growing wings out my behind and flying north for cooler temps. Most folks will just "clicky clicky" which on the machines at the shop fires up MP Classic which just sits there, no crashes either. for a PoC its pretty damned weak, so far I've tried 3 different players and haven't got it to even crash anything. Hell I even tried opening it in IE, figuring if anything would crap itself it'd be good old Internet Exploiter but nope, didn't do shit...lame.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
21. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 10:09 · Score: 0
  
  Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.
  Sometimes I with I had an account to upvote comments like this to the top. Then again I see a bunch of idiotic comments and am glad I don't.
22. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 10:14 · Score: 0
  
  ...It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.....Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether...
  Perhaps you're an idiot and should shut up. VLC is a free open player, and Secunia is a PoS company trying to discredit the software. I'm going to list you as a security vulnerability because you crash when I give you input of a bullet to the head.
23. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 11:41 · Score: 0
  
  Do you have citations for this cron-d exploit, because I think you're slinging lies over here.
24. Re:Yet another biased Slashdot story by Anonymous Coward · 2013-07-10 19:56 · Score: 0
  
  In my experience, dodgy video files make VLC crash quite easily, often even when they work fine on the second try. But that seems like a minor usability issue since restarting VLC is very little effort.
25. Re:Yet another biased Slashdot story by Sarten-X · 2013-07-11 05:13 · Score: 1
  
  Google for "Cron core dump vulnerability": http://www.securiteam.com/exploits/5OP0C0UJ5Y.html
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
I call my doctor... by wbr1 · 2013-07-10 03:52 · Score: 4, Funny

when I need to call std::terminate.

--
Silence is a state of mime.
1. Re:I call my doctor... by Anonymous Coward · 2013-07-10 07:41 · Score: 0
  
  I can feel the burning disappearing already!
  #include
  #include
  using namespace std;
  using namespace everythingelse;
  int main()
  {
  cout "PRAISE THE LAWD" endl;
  bigBang();
  return 1; // God does not entertain the notion of zero
  } ....aaaaand the burning is back. But this time it feels like it's in my eyes.
Put up or shut up by Anonymous Coward · 2013-07-10 03:53 · Score: 2, Interesting

"Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system."
"The vulnerability is caused due to a use-after-free error when releasing a picture object during decoding of video files. This can be exploited to reference an object's callback function pointer from already freed memory. Successful exploitation may allow execution of arbitrary code."
Well if it can be exploited to execute arbitrary code, why not exploit it to execute arbitrary code? Or shut up and stop talking garbage ("to reference an object's callback function pointer" What?? Is that supposed to sound technical while being gibberish?).
Put up or shut up and the argument becomes more regular and concrete like most exploits.
i.e. proof of concept, the thing that seems to be missing from Secunia's claim.
1. Re:Put up or shut up by Lunix+Nutcase · 2013-07-10 04:23 · Score: 4, Informative
  
  How is that phrase gibberish? It's quite clear what it means if you've ever used C++ and function pointers to implement callbacks for an object.
2. Re: Put up or shut up by Anonymous Coward · 2013-07-10 05:37 · Score: 0
  
  Because secunia makes money selling exploits. Not giving them away for free.
3. Re:Put up or shut up by Anonymous Coward · 2013-07-10 15:36 · Score: 0
  
  Or shut up and stop talking garbage ("to reference an object's callback function pointer" What?? Is that supposed to sound technical while being gibberish?).
  It's definitely not gibberish if you've programmed at least once in your life.
A slow decline by Anonymous Coward · 2013-07-10 03:54 · Score: 0, Insightful

The so-called 'security' firms have just been building a business model around some accidents of history - buffer overflow, sql injections, etc...
When all of these go away, slowly but surely, computer intrusion as we know it will cease to exist and 'hacking into computers' will be a thing of the past.
1. Re:A slow decline by Anonymous Coward · 2013-07-10 05:37 · Score: 0
  
  They'll find something new to call "h4>0RZ!!1!one!eleventy!" over. They have always managed before.
  Notice how the abuse of the term "hacker" (and how clumsily it was done, with hat colours and "ethical" and lots of other qualifiers that in the main don't mean squat, sort-of the "cyber" of the security industry racket) has contributed to large amounts of FUD and uninformed decisions, even leading to overly broad-because-vague laws against "hacking" that effectively also criminalise creativity with technology, and thus could easily stymie innovation. Unless, of course, you're a big enough company.
  But yes, the industry is one built on FUD and short-term patching-up, leading to expensive consultancy that really only prolongs the problem. One of the side effects is that apparently serious gatherers of exploits have gathered so many that they have no trouble at all with the cyber-breaking and cyber-entering of most any system. Shows you how much the security companies really know.
2. Re:A slow decline by Anonymous Coward · 2013-07-10 06:20 · Score: 0
  
  If you mean the NSA "cyber warrior" article, I just hope that was some sort of narcissist or a faked propaganda leak.
3. Re:A slow decline by shentino · 2013-07-10 09:45 · Score: 1
  
  Ironically, the incentives you flag are the very reason it may continue.
Crisis averted by GeekWithAKnife · 2013-07-10 03:56 · Score: 1, Troll

I have read this quite concerned but am now finally relieved that my porn viewing will not be affected in the slightest.

Thank you for reporting on "stuff the matters".

--
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Please wait ... by Anonymous Coward · 2013-07-10 04:02 · Score: 2, Informative

I tried accessing the VLC website, but all I got was an error message:
Please wait while your font cache is rebuilt. This should take less than a few minutes.
1. Re:Please wait ... by Anonymous Coward · 2013-07-10 04:33 · Score: 0
  
  I'm not a VLC apologist, but does that even happen any more?
  VLC is too clunky to use as my main video player but I do fall back to it regularly when other players choke on whatever it is I'm watching.
  Can only remember seeing that in windows though so that might be it?
  I'm curious because Firefox memory use still gets stick even though (IMHO) it hasn't been an issue for a dozen versions or so, and I think I might be seeing parallels.
  I suppose that one time I was intimate with a midget, I didn't realise I would be called "that midget fucker guy" from then on in the office.
  If I'd known, I would have been more patient with her contortionist friend. But you know what those carnie-folk are like.
  Amirite?
2. Re:Please wait ... by TheRaven64 · 2013-07-10 04:46 · Score: 1
  
  I'm not a VLC apologist, but does that even happen any more?
  The first time I ever saw this message was when updating VLC to the latest version about 2 months ago, so it definitely does still happen, although I've no idea why (or what it's doing that takes so long).
  
  --
  I am TheRaven on Soylent News
3. Re:Please wait ... by Anonymous Coward · 2013-07-10 04:59 · Score: 0
  
  It's making its own copy of your system fonts for subtitles. It's working around its own poor design.
4. Re:Please wait ... by Anonymous Coward · 2013-07-10 06:10 · Score: 0
  
  Sounds like an embarrassingly parallel work load. Finally, a reason for 8+ threads!
5. Re:Please wait ... by hobarrera · 2013-07-12 07:06 · Score: 1
  
  I've used VLC for almost a decade and i've never seen this message. How do you trigger it? According to online sources, it's run after an update, but I've never seen it, and update every single release. Running vlc 2.0.7 right now.
Mein Kempf by fustakrakich · 2013-07-10 04:11 · Score: 1

Threatens 'legal action'? What's up with that?

--
“He’s not deformed, he’s just drunk!”
1. Re:Mein Kempf by GlowingCat · 2013-07-10 04:30 · Score: 1, Troll
  
  Oh the irony, somebody who doesn't give a crap about patents threatens with legal actions.
2. Re:Mein Kempf by Penguinisto · 2013-07-10 04:59 · Score: 0
  
  protip: patent infringement != libel/slander ;)
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Mein Kempf by Ash+Vince · 2013-07-10 05:26 · Score: 3, Interesting
  
  protip: patent infringement != libel/slander ;)
  It is still running to a bunch of lawyers though to settle what should be a technical issue.
  He is worried about the damage to his wonderful players reputation be secunia filing a few bug reports? It works both ways, if they have filed bug based on security issues that do not exist that damages their reputation. Surely it makes more sense to have a discussion between two techies regarding the expected behaviour of the application. I don't see what a bunch of lawyers can contribute to that.
  Oh, apart from burning them to keep the techies warm :)
  
  --
  I dont read /. to RTFA, I read /. to offend people in ignorance.
4. Re:Mein Kempf by Capt.Albatross · 2013-07-10 06:56 · Score: 1
  
  I don't see what a bunch of lawyers can contribute to that.
  Bringing legal action got the issue on Slashdot, so it turned out to be an effective way to raise awareness that Secunia's position is bogus.
Re:The end by Anonymous Coward · 2013-07-10 04:45 · Score: 0

Pretty weak troll. I'll give you 2,5 out of 5, if nothing else for your copy/pasta effort. Otherwise you'd probably get a 1.
I trust Secunia by Steve_Ussler · 2013-07-10 04:49 · Score: 2, Funny

They have always been correct.
Use after free is *not* just a DOS vulnerbability by benjymouse · 2013-07-10 05:08 · Score: 3, Informative

(original submitter here)
If Secunia is correct that the root cause is a use-after-free vulnerability, it exploitability is likely not limited to simple DOS. Secunia talk about a callback handler. A use after free vulnerability can easily lead to execution of arbitrary code, depending on how much control the artacker can assert over the memory.
Also, it is interesting if the sentiment is that it is not a vulnerability if it sits in a linked library. Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Re:The end by mitzampt · 2013-07-10 05:32 · Score: 1

He even brought out the cheese for the pasta when he mentioned Windows 8, you need to give him at least 3 out of 5. I almost fed him myself...

--
uhm...
Re:The end by Anonymous Coward · 2013-07-10 06:11 · Score: 0

my clients are removing Linux so quickly their computers are literally exploding
Sounds like a good reason not to remove Linux.
Re:Use after free is *not* just a DOS vulnerbabili by Anonymous Coward · 2013-07-10 06:11 · Score: 2, Informative

Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.
Why? We don't report vulnerabilities in the GNU C library (glibc) as being vulnerabilities of every program that has links to it. Even Secunia reports vulnerabilities in glibc as vulnerabilities of the library, not the individual programs using it. [cite: https://secunia.com/advisories/search/]
You can argue that it ought to be the other way, but at the very least Secunia should be consistent with their own practice. Flagging VLC because of a vulnerability in ffmpeg is not consistent with Secunia's own past practice.
consider shared libraries by Chirs · 2013-07-10 06:33 · Score: 3, Informative

If I update the library it resolves the problem for all users of the library. Therefore, the problem is in the shared library, not in the users of that library.
It may be possible to trigger the bug in users of the library, but the actual error (and the thing that must be fixed) is in the library, not the program using it.
Statically linked library by benjymouse · 2013-07-10 07:59 · Score: 1

What if the library is statically linked (as it is on some platforms with VLC as I understand it)? Then it is distributed with the product.

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Not surprising by Anonymous Coward · 2013-07-10 08:05 · Score: 0

I've seen tagged "critical security" "buffer overflow bugs" for unchecked bounds strings... only exploitable being root...
Re:Use after free is *not* just a DOS vulnerbabili by TJamieson · 2013-07-10 08:32 · Score: 1

My understanding is the libmkv terminate was the DoS portion. The SWF use-after-free would indeed be vulnerable, but is also within ffmpeg. While it would be nice - and in their best interests - if VLC fixed it upstream, it should have been reported as an ffmpeg issue imo.

--
For the last time, PIN Number and ATM Machine are redundancies!
Good point: I deal with that in VCL's... apk by Anonymous Coward · 2013-07-10 09:08 · Score: 0

Borland's Object Model in Delphi (& C++ Builder too) let you do that via "VCL's" (visual component libs) that compile right into your app - it['s much like doing classes work in say, VB or C++ from MS (& it has forms built right in if required etc.). By the way: YES, that is "VCL" not our subject program, "VLC" (stressing that here, right off the bat almost).
It's great when they ship with source - easier to control by far of course. Not as nice if they don't (some don't). Usually I've seen that MOST 3rd party folks, in freeware libs, ship with source though. Thank Goodness. I steer clear of them now, usually, if the time to take building the functionality of the lib isn't too extreme, then I build it/mimic it, myself. Just a matter of trade off time constraints. I am "big" personally, on "self-built code" for reasons of maintenance etc. (what happens if say, you go from 32-> 64-bit & can't port others' 3rd party libs too? You're stuck!) - it was what my 1st post here was about, in fact.
You're, odds are, going to HAVE to distribute any .DLL files too, since you noted distributed with product, though. If the OS doesn't have a native model of the same, with the SAME build/version # on it - you're in for hassles (placing YOURS in your appdir overrides those, & gets you around this, since 1st place in dll calling rules is the application's folder before any place else, like %WinDir%\system32)
APK
P.S.=> In my last reply however, I should have specified that regarding your point - that DLL-based API's were what I meant by "3rd party libs", specifically (vs. statically linked VCL's and yes, it is CLOSE to our subject spelling-wise, so nobody get too confused now, in VLC)... apk
std: terminate. by leuk_he · 2013-07-10 09:15 · Score: 2

Then who you are going to call?
SImple by Anonymous Coward · 2013-07-10 09:49 · Score: 0

So, the solution is simple. Fix the bug. Own the problem, take responsibility for it. After the bug is fix if someone wants to claim it isn't, offer $1,000,000 if they can tank you. If they collect, you were wrong. If they can't, they were wrong. It _is_ that simple.
Re:Use after free is *not* just a DOS vulnerbabili by Anonymous Coward · 2013-07-10 11:16 · Score: 0

I really hope you're trolling, because "for all intensive purposes" is a corruption of the phrase "for all intents and purposes". Using the "intensive" version is usually a sign that you're a dumbass.
(Only usually, though. Unlike many cases of mangled phrases, there are contexts where "intensive purposes" might actually make sense. In this one, however, "for all intents and purposes" is clearly correct.)
No, and yes and no. by Anonymous Coward · 2013-07-10 20:36 · Score: 0

VLC distributes a single installer with a lot of things in it on, eg. windows, where on a linux system most of the parts would all be separate packages (fetched from source and compiled by your linux distribution and not by videolan), but the individual libraries are dynamically loaded as needed.
Statically linked would mean one rather large binary, and that's not how vlc works on any platform. It's a core engine with lots and lots of plugins, relying heavily on dynamic loading. So the terminology as used does not apply.
Bottom line, VLC does come with third party software libraries packed in its installer on platforms where it provides such a thing (windows, mac), but does not on others, that rely on source distribution.
Even so, the situation remains that if there is a problem in, say, ffmpeg, then pointing at vlc as the culprit is misleading, even dishonest, in badly counter-productive ways:
First, though vlc would be affected, they would kick over the problem to ffmpeg tout de suite. At most they'd patch it themselves, submit the patch to ffmpeg, and awaiting upstream upgrades patch the version of ffmpeg in the build tree -- but that only works for platforms for which they provide monolithic installers. Source distribution would be left out in the cold. Might as well work with ffmpeg directly to get the thing fixed, instead of getting into a shouting match with videolan.
Working with the group most directly responsible for the software that contains the problem is usance and best practice in the open source community. This is a bit different from the commercial stonewalling secunia is apparently used to.
Second, ffmpeg (and much of whatever else vlc uses) is used quite a lot more widely than just vlc, and so if you blame vlc then you're not just frustrating fixing the actual problem, you're leaving all those other users out in the cold, too.
Re:Use after free is *not* just a DOS vulnerbabili by CODiNE · 2013-07-11 04:23 · Score: 1

Rarely understood, often vilified. Satire is the most dangerous form of literature.
It was a silly joke about the corruption of language, how the vernacular becomes the standard and the frequent error of those who jump on others supposed mistake.
Y'all get a nice big WOOOOSH!

--
Cwm, fjord-bank glyphs vext quiz
Tradeoff by Anonymous Coward · 2013-07-11 19:25 · Score: 0

Spend manpower on fancy Metroized version, or ironing the real deal?