Slashdot Mirror

← Back to Stories (view on slashdot.org)

MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com)

Posted by BeauHD on from the hit-and-run dept.

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

4 of 72 comments (clear)

  1. Do this right away by Tough+Love · · Score: 1, Informative

    Debian users, do this right away:

          sudo apt upgrade && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64

    For buster/sid, this updates to versions 2018.10.17-1 and 2018.08.28a-1. Then check to see if these have the fix, I think they do but I have not verified yet.

    This update takes less than 1 minute to do, there is not the slightest excuse for procrastinating.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re:Do this right away by Tough+Love · · Score: 3, Informative

      Gah, typoed that. Should be:

              sudo apt update && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64

      Not sure which of those two libraries has the hole, maybe both.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  2. No, it doesn't affect *any* media player by Ross+Finlayson · · Score: 5, Informative

    The bug - which has now been fixed in the LIVE555 library (with the fix already reported to Cisco) - affected only the LIVE555 library's implementation of a RTSP *server*. It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)

    (I know this because I'm the author of the LIVE555 software :-)

  3. Slashdot editors fix the headline and summary by caseih · · Score: 4, Informative

    Please can the slashdot editors fix the headline and summary to reflect the actual situation as per Ross Finlayson's post. Which is to say Mplayer and VLC Media Player were not vulnerable and there's no need to panic. The article linked to in the summary is plain wrong and really needs to be retracted.