Slashdot Mirror

← Back to Stories (view on slashdot.org)

VLC And Secunia Fighting Over Vulnerability Reports

Posted by Unknown on from the fight-fight-fight dept.

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

3 of 100 comments (clear)

  1. Re:Yet another biased Slashdot story by Anonymous Coward · · Score: 5, Insightful

    Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.

    VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.

  2. Re:Yet another biased Slashdot story by g0bshiTe · · Score: 5, Funny

    It's just important that if two attackers are at it that they don't cross the streams.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  3. Re:... citation? by dgatwood · · Score: 5, Interesting

    No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:

    • If the exception itself causes some secret information to be leaked to a log file somewhere. This does not apply because the content being played is owned by the computer's owner, who also owns the log files.
    • If the exception causes some component to get freed and you end up with a use-after-free situation (or it causes some process to die and some other process fails to handle that death in a safe manner). Presumably VLC is designed to handle codecs going away, but if not, then that is the exploitable vulnerability, not the exception itself.
    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.