Slashdot Mirror

← Back to Stories (view on slashdot.org)

MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com)

Posted by BeauHD on from the hit-and-run dept.

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

72 comments

  1. Living on the edge by Anonymous Coward · · Score: 0

    And Win7. NO UPDATES! and I live like I want. Don't like? TUF!

  2. VLC hasn't been updated... by dicobalt · · Score: 2

    It's still 3.0.4 which I've had for a while now.

    1. Re:VLC hasn't been updated... by ShaunC · · Score: 2

      Yep, 3.0.4 came out on August 31. I don't see anything on their website or FTP server about a newer release.

      The dev changelog does refer to a version 3.0.5, but the changes listed there don't include fixing this vulnerability.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:VLC hasn't been updated... by LuniticusTheSane · · Score: 3, Interesting

      Ver 3.0.3 "Updates 3rd party libraries for security issues"

  3. What is the updated version? by Registered+Coward+v2 · · Score: 4, Insightful

    It would be helpful if articles such as this listed what VLC versions (or other software) have addressed this flaw, rather than just say have the latest updated. From the article the assumption is if you have the Win/OS X/Linux updated to the latest version you are not vulnerable.

    --
    I'm a consultant - I convert gibberish into cash-flow.
    1. Re:What is the updated version? by Anonymous Coward · · Score: 0

      What about the mobile version?

    2. Re:What is the updated version? by Anonymous Coward · · Score: 1

      It's not VLC per se that's vulnerable. It's the live555 streaming libraries that are. The version for liblivemedia that's vulnerable is 0.92 The CVE for it doesn't mention if prior versions are also vulnerable.

  4. But VLC 3.0 sucks. by Anonymous Coward · · Score: 1

    Last time I tried it, the control interface couldn't be moved to another monitor. Plus, it could only use a limited number of video output modules, some of which were blocky or poor performing.

  5. Media Player Classic by Anonymous Coward · · Score: 0

    Also vulnerable?

  6. Tiny minority affected by Anonymous Coward · · Score: 1

    Almost nobody that uses VLC will actually be affected by this bug

    1. Re:Tiny minority affected by Tough+Love · · Score: 1

      Almost nobody that uses VLC will actually be affected by this bug

      [citation needed]

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    2. Re:Tiny minority affected by Anonymous Coward · · Score: 1

      nework streaming (which this library is used for) and playback of local files (what the vast majority of users actually, and only, use vlc for) are not the same.

    3. Re:Tiny minority affected by Tough+Love · · Score: 1

      What makes you think that nobody streams media from the internet?

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    4. Re:Tiny minority affected by AHuxley · · Score: 1

      Could downloaded media be made to call home on a few different OS?

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:Tiny minority affected by Anonymous Coward · · Score: 0

      He doesn't. Youre the one saying that. Re-read what he wrote and how yours is different.

    6. Re:Tiny minority affected by Tough+Love · · Score: 1

      I hope that you will soon also understand that you are also a hazard to security. It should be obvious that many applications depend on vlc and therefore live555, and that many users use these to access media remotely. The coward had a chance to think critically, possibly redeeming themselves for an obviously stupid comment, why should I be surprised that that was a complete fail. And why should I be surprised that some other coward hopes to defend their imagined duty to be clueless on the internet.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    7. Re:Tiny minority affected by Anonymous Coward · · Score: 0

      Turns out the vlc software isn't vulnerable. So who's clueless on the internet? I have a kettle for you to meet.

    8. Re:Tiny minority affected by Anonymous Coward · · Score: 0

      BE AFRAID!!

      Holy shit, calm down. If *someone else* choosing not to run around shitting themselves every time someone finds a security flaw is stressing you out, simply refrain from storing your personal information on their computer. Problem solved.

    9. Re:Tiny minority affected by Tough+Love · · Score: 1

      So who's clueless on the internet?

      The one who thought nobody was vulnerable ("a tiny minority") without being able to factually support that belief, until an upstream developer weighed in, and who still is wrong to belief that it is ok for even a minority to risk their security needlessly, and advocate for others to follow that path. That would be you, apparently.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    10. Re:Tiny minority affected by Tough+Love · · Score: 0

      People are welcome to risk their own systems in whatever way they wish, but posting random advice to the internet advocating that others do the same is not ok. BTW, your comment doesn't make any sense at all, do you always talk like that?

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    11. Re:Tiny minority affected by Anonymous Coward · · Score: 0

      you are really still hanging on to this aren't you? fuck, man. 99% of vlc users (estimated, and probably a little low) don't even know vlc can stream directly off a network or the internet.. hence, they use it for local playback only... and even if they did know about that feature, 99% of those users (again, estimated and probably a little low) don't use it for internet streaming even though they 'could'. add those two together and you get your comment's original parent's "almost nobody".

    12. Re:Tiny minority affected by Anonymous Coward · · Score: 1

      He doesn't think that nor did he say anything implying that he might think that.

      Most people who stream from Internet aren't using VLC for that. They're probably using web browsers, and Netflix clients (which can't ever be VLC) and on mobiles they might be using a dedicated Youtube client. And some others. Rarely VLC/mpv/mplayer/xine/parole/etc.

      Most people who use VLC (and mpv and parole and mplayer) are playing local files.

      The two groups do intersect, but not much. Streaming video is mostly a business thing, and businessed still uses DRM (which means no VLC) because they're all trying to kill themselves by encouraging all users to switch to piracy. (And some users obey them, but then that usually comes with a switch to downloading and playing from local disk.)

    13. Re:Tiny minority affected by Anonymous Coward · · Score: 0

      Take your own advice and shut the fuck up.

  7. Old news? by Anonymous Coward · · Score: 0

    Live555 hasn't been "standard" in _years_. At least since their last such exploit

    https://www.cvedetails.com/cve/CVE-2013-6933/

    For reference

    https://www.live555.com/liveMedia/public/changelog.txt
    http://lists.live555.com/pipermail/live-devel/2018-October/021071.html

  8. Do this right away by Tough+Love · · Score: 1, Informative

    Debian users, do this right away:

          sudo apt upgrade && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64

    For buster/sid, this updates to versions 2018.10.17-1 and 2018.08.28a-1. Then check to see if these have the fix, I think they do but I have not verified yet.

    This update takes less than 1 minute to do, there is not the slightest excuse for procrastinating.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re:Do this right away by Tough+Love · · Score: 1

      Debian status of this vulnerability

      Looks like fixed in Sid (I'm ok!) but testing and stable are still vulnerable as of right now.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    2. Re:Do this right away by Tough+Love · · Score: 3, Informative

      Gah, typoed that. Should be:

              sudo apt update && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64

      Not sure which of those two libraries has the hole, maybe both.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    3. Re: Do this right away by brer_rabbit · · Score: 4, Funny

      Thanks for fixing, because I usually just cut & paste any sudo command.

    4. Re: Do this right away by Tough+Love · · Score: 1

      Good work for spotting and pointing out the original problem, much more useful than posting a random snipe to the internet

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  9. No Update Yet by WindowsStar · · Score: 1

    As of 2018-10-21 01:35 EDT three is no update for VLC Media Player they are still at 3.0.4 from a month or two back. Version 3.0.5 would be the updated version.

    1. Re: No Update Yet by Anonymous Coward · · Score: 0

      The vendor only posted the update today.

      Then the finder released full details of the exploit... Giving everyone one day.

      Pretty stupid. Especially considering the overflow is basically unlimited in size so you can put whatever you want in the stack.

    2. Re:No Update Yet by Tough+Love · · Score: 1

      3.0.5 is still a development branch, if you wait for that you will be waiting a long time. You need a security patch. Already landed in Debian/Sid, good luck with Windows.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    3. Re: No Update Yet by Tough+Love · · Score: 1

      Anything more than a few bytes is enough to own you.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    4. Re:No Update Yet by Anonymous Coward · · Score: 0

      So, we're waiting for 3.0.4.1 ...

  10. its not vlc's fault... by Anonymous Coward · · Score: 0

    ... if you're building it with out of date "live" support... or "live" support at all.

  11. Preferences-All-Input/Codecs-Demuxers by Anonymous Coward · · Score: 0

    Assuming you never stream in VLC anyway, just change the module to "disabled" to turn the feature off completely.

  12. No, it doesn't affect *any* media player by Ross+Finlayson · · Score: 5, Informative

    The bug - which has now been fixed in the LIVE555 library (with the fix already reported to Cisco) - affected only the LIVE555 library's implementation of a RTSP *server*. It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)

    (I know this because I'm the author of the LIVE555 software :-)

    1. Re:No, it doesn't affect *any* media player by Tough+Love · · Score: 1

      Thanks for that.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    2. Re:No, it doesn't affect *any* media player by Anonymous Coward · · Score: 2, Insightful

      Wish I'd seen this *before* I caved in to everyone's panic and updated VLC, only to instantly discover that least one feature I constantly use was now totally broken. Thankfully the old versions were still available on the website.

      THIS IS WHY I NEVER UPDATE SHIT

    3. Re:No, it doesn't affect *any* media player by Anonymous Coward · · Score: 0

      And no thanks for "hackread" for crying wolf. How does beauhd manage these excreably stupid sources time and again? Is he stupid himself by any chance?

    4. Re:No, it doesn't affect *any* media player by Tough+Love · · Score: 0

      Eh, you lost the plot. It is a real vulnerability and people are really exposed to it. It was clarified that vlc servers are vulnerable to malicious clients, not the other way round. That means a much smaller group is exposed, but In a way, it makes it worse.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    5. Re: No, it doesn't affect *any* media player by jd · · Score: 1

      I greatly appreciate your post and rapid fix.

      Would static checkers have helped?

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    6. Re:No, it doesn't affect *any* media player by Anonymous Coward · · Score: 0

      Your reading comprehension leaves something to be desired, to wit:

      It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)

      Let me highlight that for you: VLC does not use LIVE555 RTSP server. So not affected at all. Nor is mplayer.

      Which brings us back to poser s'kiddie den "hackread", which says something else, therefore is crying wolf.

    7. Re:No, it doesn't affect *any* media player by slashdot_commentator · · Score: 1

      Is any of the LIVE555 software used to stream VLC video to an android device? e.g. chromecasting or miracast(?) from a media PC to android TV?

      When vlc had the bug that wouldn't allow streaming from a vlc client on a PC to a TV (using chromecast), I recall a precursor protocol that allowed DLNA devices connectivity between each other for streaming purposes..

      --
      There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
    8. Re:No, it doesn't affect *any* media player by mikelieman · · Score: 1

      It's 2018, and /. is still relevant ( 5 digit UID's represent!!! )

      --
      Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
    9. Re:No, it doesn't affect *any* media player by Anonymous Coward · · Score: 0

      no its not a real vuln. RTSP is dead. RTMP is also dead. its all hls and hds now. except a few russian porn sites still clinging on to old tech.

      stop being a dummy

    10. Re:No, it doesn't affect *any* media player by DERoss · · Score: 1

      That is supported by a blog post at https://threatpost.com/critica.... It would be appreciated if people would learn the difference between a server and a client.

    11. Re:No, it doesn't affect *any* media player by Anonymous Coward · · Score: 0

      (I know this because I'm the author of the LIVE555 software :-)

      Citation needed.

  13. To clarify, this is in VLC's RTSP *server* by Anonymous Coward · · Score: 0

    If a client is fetching video from VLC acting as an RTSP-over-HTTP server, duplicate HTTP headers (of particular types) in the client request can cause a stack buffer overflow. Each individual header is properly length-checked, but if there are multiples (in violation of the HTTP spec), they get concatenated, and the concatenation is not checked. Oops!

    This vulnerability is irrelevant to the standard video-viewing applications of VLC (and mplayer); only if you're streaming from VLC does it matter. (And the client has to be malicious, but most home networks include at least one unpatched PoS internet-enabled device which can be exploited by an attacker.)

    It's fixed in the 2018.10.17 release of liblivemedia; VLC or mplayer proper do not need patching. (Dunno how the Windows library is distributed.)

    1. Re:To clarify, this is in VLC's RTSP *server* by Anonymous Coward · · Score: 0

      Wrong. VLC does NOT use the Live555 library when acting as an RTSP server.

  14. Obviously by Anonymous Coward · · Score: 0

    I blame Zuck.

  15. Question by jd · · Score: 1

    Would any existing static checker free for use with open source have identified the bug?

    If yes, then there should be an obligation to use them in key software.

    If no, then we need to sort out the lack of testing common in the software industry as a whole.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  16. watch video offline by Asepsyaripudin · · Score: 1

    if using the application only to watch offline videos affected?

  17. Re:Bad Debian advice by Anonymous Coward · · Score: 1

    Never 'apt upgrade' or perform any other apt operation without first running 'apt update' to make sure that you are working with the latest package sets.
    People who complain about practically nonexistent problems such as "dependency hell" are always painting themselves into this corner...

  18. No they aren't by campuscodi · · Score: 1

    This article is grossly inaccurate and blatantly wrong. https://twitter.com/videolan/s... + https://twitter.com/hanno/stat...

  19. VLC and MPlayet NOT affected by Anonymous Coward · · Score: 0

    VLC and MPlayer do not use Live Network's technology in a way that makes them vulnerable to this issue. The headline needs correction. The linked article has been updated.

  20. Nothing to see here by Anonymous Coward · · Score: 0

    They update the article and said that MPlayer and VLC are not vulnerable.

    Update:
    According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability âoedoes not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players donâ(TM)t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555â(TM)s.)â

  21. Appears to be a false alarm: by Anonymous Coward · · Score: 1

    "
    Update:

    According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”

    "

  22. Daum's Potplayer! by Anonymous Coward · · Score: 0

    Haven't looked back at VLC since switching to it.

  23. Slashdot editors fix the headline and summary by caseih · · Score: 4, Informative

    Please can the slashdot editors fix the headline and summary to reflect the actual situation as per Ross Finlayson's post. Which is to say Mplayer and VLC Media Player were not vulnerable and there's no need to panic. The article linked to in the summary is plain wrong and really needs to be retracted.

    1. Re: Slashdot editors fix the headline and summary by Anonymous Coward · · Score: 0

      [17 hours later]

      Well, that appeal to reason didn't go so well.

  24. RTFA by notb666 · · Score: 3, Insightful

    According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”

  25. creimer has a micropenis. by Anonymous Coward · · Score: 0

    Unpatched RTM Win98 (not SE) plugged directly to the Internet. Suck it!

  26. Re: c6gunner's impersonating me & lying by Anonymous Coward · · Score: 0

    Not that you're one to live in the past or anything. Do you still rage about that kid who called you dumb when you were eleven?

    (not c6gunner)

  27. c6gunner's impersonating me & lying by Anonymous Coward · · Score: 0

    See subject: c6gunner's name on this post as submitter yet signed "APK" https://linux.slashdot.org/com... & he ran from a fair challenge I put to him https://linux.slashdot.org/com... after insulting me.

    * I never say hosts cure Spectre/Meltdown OR it'd be on the Start64.com download page & I do NO MacOS X one!

    (I cut him to pieces for his lies here https://tech.slashdot.org/comm... & https://tech.slashdot.org/comm... too & on hosts' technicals https://tech.slashdot.org/comm... )

    APK

    P.S.=> You say hosts = shit https://slashdot.org/comments.... ?

    FACTS: /.ers & security pros + RESULTS say DIFFERENT:

    1st: /.ers https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments....

    2nd: SECURITY PROS https://slashdot.org/comments....

    3rd: REAL RESULTS w/ hosts vs. threats https://slashdot.org/comments....

    EAT YOUR WORDS