Slashdot Mirror

← Back to Stories (view on slashdot.org)

VLC And Secunia Fighting Over Vulnerability Reports

Posted by Unknown on from the fight-fight-fight dept.

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

3 of 100 comments (clear)

  1. Yet another biased Slashdot story by Sarten-X · · Score: 1, Troll

    despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

    That depends entirely on what "exploit" means. If VLC is a core part of a media service, calling anything named "terminate" sounds like a recipe for a simple DoS. I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display), but it could easily be the magic under a layer of consultants' bills.

    The easy assumption is that any time a program does something that wouldn't be expected, it's exploitable to cause some kind of annoyance. Whether that alone is enough to warrant a fix is a different matter.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  2. Crisis averted by GeekWithAKnife · · Score: 1, Troll


    I have read this quite concerned but am now finally relieved that my porn viewing will not be affected in the slightest.

    Thank you for reporting on "stuff the matters".

    --
    A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
  3. Re:Mein Kempf by GlowingCat · · Score: 1, Troll

    Oh the irony, somebody who doesn't give a crap about patents threatens with legal actions.