Slashdot Mirror

← Back to Stories (view on slashdot.org)

VLC And Secunia Fighting Over Vulnerability Reports

Posted by Unknown on from the fight-fight-fight dept.

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

12 of 100 comments (clear)

  1. I call my doctor... by wbr1 · · Score: 4, Funny

    when I need to call std::terminate.

    --
    Silence is a state of mime.
  2. Re:You'd be surprised by fnj · · Score: 4, Insightful

    What kind of things are exploitable.

    Learn.

    If the above involves a SEH chain to be invoked on windows it can be exploited.

    It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.

  3. Re:Yet another biased Slashdot story by Anonymous Coward · · Score: 5, Insightful

    Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.

    VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.

  4. Re:Put up or shut up by Lunix+Nutcase · · Score: 4, Informative

    How is that phrase gibberish? It's quite clear what it means if you've ever used C++ and function pointers to implement callbacks for an object.

  5. Re:Yet another biased Slashdot story by g0bshiTe · · Score: 5, Funny

    It's just important that if two attackers are at it that they don't cross the streams.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  6. Re:Yet another biased Slashdot story by Anonymous Coward · · Score: 3, Insightful

    Disrupt that playback, and you have denial of service, period.

    Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.

  7. Re:... citation? by dgatwood · · Score: 5, Interesting

    No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:

    • If the exception itself causes some secret information to be leaked to a log file somewhere. This does not apply because the content being played is owned by the computer's owner, who also owns the log files.
    • If the exception causes some component to get freed and you end up with a use-after-free situation (or it causes some process to die and some other process fails to handle that death in a safe manner). Presumably VLC is designed to handle codecs going away, but if not, then that is the exploitable vulnerability, not the exception itself.
    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  8. Use after free is *not* just a DOS vulnerbability by benjymouse · · Score: 3, Informative

    (original submitter here)

    If Secunia is correct that the root cause is a use-after-free vulnerability, it exploitability is likely not limited to simple DOS. Secunia talk about a callback handler. A use after free vulnerability can easily lead to execution of arbitrary code, depending on how much control the artacker can assert over the memory.

    Also, it is interesting if the sentiment is that it is not a vulnerability if it sits in a linked library. Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  9. Re:Mein Kempf by Ash+Vince · · Score: 3, Interesting

    protip: patent infringement != libel/slander ;)

    It is still running to a bunch of lawyers though to settle what should be a technical issue.

    He is worried about the damage to his wonderful players reputation be secunia filing a few bug reports? It works both ways, if they have filed bug based on security issues that do not exist that damages their reputation. Surely it makes more sense to have a discussion between two techies regarding the expected behaviour of the application. I don't see what a bunch of lawyers can contribute to that.

    Oh, apart from burning them to keep the techies warm :)

    --
    I dont read /. to RTFA, I read /. to offend people in ignorance.
  10. Re:Yet another biased Slashdot story by Sarten-X · · Score: 4, Informative

    You jest, but that's a decent example. It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.

    One of my personal favorite exploits involved using a core dump to drop a file into cron.d. The kernel, being ever so helpful, would put the dump into whatever working directory the crashing program was running in. Cron, being ever so helpful, would run all the files in cron.d, and being ever so helpful, would ignore all the badly-malformed data in those files. Put them together, and suddenly any user who can run a program can schedule commands to be run as root.

    As your example shows with ample hyperbole, even a clean termination may be part of a larger plan. Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether... what matters is that all such attack vectors can be blocked by fixing this unexpected behavior.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  11. consider shared libraries by Chirs · · Score: 3, Informative

    If I update the library it resolves the problem for all users of the library. Therefore, the problem is in the shared library, not in the users of that library.

    It may be possible to trigger the bug in users of the library, but the actual error (and the thing that must be fixed) is in the library, not the program using it.

  12. Re:... citation? by hairyfeet · · Score: 3, Informative

    Well I'm not a security expert so I can't comment on that, but what I DO have is a shitload of PCs at the shop and I can say that the VLC guy is right, I just tested the Securina "Proof Of Concept" SWF and it don't do shit under VLC. If any Securina fans are here it shows an image, the QT logo, and that's it.

    I tried it on 32bit and 64bit win 7 and even the old XP box in the corner and he's right, first of all VLC won't even open it by default, won't show up in either open with nor any right click menus for that format, so you have to fire up VLC and THEN switch away from media files to all files to even see the thing in VLC and as I said when run? Nothing, hell it didn't even make VLC hang or crash.

    So I'm sorry Securina but if that is your "proof" I gotta throw a flag, bullshit on the field. I haven't got any real old versions of VLC to check what it does on old versions but since VLC has had an updater in place for a couple of years now I can say that I just don't run into anybody running old versions of VLC in the wild so i don't consider that a test worth running.

    --
    ACs don't waste your time replying, your posts are never seen by me.