MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com)

← Back to Stories (view on slashdot.org)

MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com)

Posted by BeauHD on Sunday October 21, 2018 @02:02PM from the hit-and-run dept.

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

36 of 72 comments (clear)

Min score:

Reason:

Sort:

VLC hasn't been updated... by dicobalt · 2018-10-21 14:10 · Score: 2

It's still 3.0.4 which I've had for a while now.
1. Re:VLC hasn't been updated... by ShaunC · 2018-10-21 14:32 · Score: 2
  
  Yep, 3.0.4 came out on August 31. I don't see anything on their website or FTP server about a newer release.
  The dev changelog does refer to a version 3.0.5, but the changes listed there don't include fixing this vulnerability.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
2. Re:VLC hasn't been updated... by LuniticusTheSane · 2018-10-21 16:04 · Score: 3, Interesting
  
  Ver 3.0.3 "Updates 3rd party libraries for security issues"
What is the updated version? by Registered+Coward+v2 · 2018-10-21 14:13 · Score: 4, Insightful

It would be helpful if articles such as this listed what VLC versions (or other software) have addressed this flaw, rather than just say have the latest updated. From the article the assumption is if you have the Win/OS X/Linux updated to the latest version you are not vulnerable.

--
I'm a consultant - I convert gibberish into cash-flow.
1. Re:What is the updated version? by Anonymous Coward · 2018-10-21 16:08 · Score: 1
  
  It's not VLC per se that's vulnerable. It's the live555 streaming libraries that are. The version for liblivemedia that's vulnerable is 0.92 The CVE for it doesn't mention if prior versions are also vulnerable.
But VLC 3.0 sucks. by Anonymous Coward · 2018-10-21 14:18 · Score: 1

Last time I tried it, the control interface couldn't be moved to another monitor. Plus, it could only use a limited number of video output modules, some of which were blocky or poor performing.
Tiny minority affected by Anonymous Coward · 2018-10-21 15:01 · Score: 1

Almost nobody that uses VLC will actually be affected by this bug
1. Re:Tiny minority affected by Tough+Love · 2018-10-21 15:38 · Score: 1
  
  Almost nobody that uses VLC will actually be affected by this bug
  [citation needed]
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
2. Re:Tiny minority affected by Anonymous Coward · 2018-10-21 15:57 · Score: 1
  
  nework streaming (which this library is used for) and playback of local files (what the vast majority of users actually, and only, use vlc for) are not the same.
3. Re:Tiny minority affected by Tough+Love · 2018-10-21 16:02 · Score: 1
  
  What makes you think that nobody streams media from the internet?
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
4. Re:Tiny minority affected by AHuxley · 2018-10-21 16:19 · Score: 1
  
  Could downloaded media be made to call home on a few different OS?
  
  --
  Domestic spying is now "Benign Information Gathering"
5. Re:Tiny minority affected by Tough+Love · 2018-10-21 16:50 · Score: 1
  
  I hope that you will soon also understand that you are also a hazard to security. It should be obvious that many applications depend on vlc and therefore live555, and that many users use these to access media remotely. The coward had a chance to think critically, possibly redeeming themselves for an obviously stupid comment, why should I be surprised that that was a complete fail. And why should I be surprised that some other coward hopes to defend their imagined duty to be clueless on the internet.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
6. Re:Tiny minority affected by Tough+Love · 2018-10-21 17:54 · Score: 1
  
  So who's clueless on the internet?
  The one who thought nobody was vulnerable ("a tiny minority") without being able to factually support that belief, until an upstream developer weighed in, and who still is wrong to belief that it is ok for even a minority to risk their security needlessly, and advocate for others to follow that path. That would be you, apparently.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
7. Re:Tiny minority affected by Anonymous Coward · 2018-10-22 03:27 · Score: 1
  
  He doesn't think that nor did he say anything implying that he might think that.
  Most people who stream from Internet aren't using VLC for that. They're probably using web browsers, and Netflix clients (which can't ever be VLC) and on mobiles they might be using a dedicated Youtube client. And some others. Rarely VLC/mpv/mplayer/xine/parole/etc.
  Most people who use VLC (and mpv and parole and mplayer) are playing local files.
  The two groups do intersect, but not much. Streaming video is mostly a business thing, and businessed still uses DRM (which means no VLC) because they're all trying to kill themselves by encouraging all users to switch to piracy. (And some users obey them, but then that usually comes with a switch to downloading and playing from local disk.)
Do this right away by Tough+Love · 2018-10-21 15:35 · Score: 1, Informative

Debian users, do this right away:
sudo apt upgrade && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64
For buster/sid, this updates to versions 2018.10.17-1 and 2018.08.28a-1. Then check to see if these have the fix, I think they do but I have not verified yet.
This update takes less than 1 minute to do, there is not the slightest excuse for procrastinating.

--
When all you have is a hammer, every problem starts to look like a thumb.
1. Re:Do this right away by Tough+Love · 2018-10-21 16:35 · Score: 1
  
  Debian status of this vulnerability
  Looks like fixed in Sid (I'm ok!) but testing and stable are still vulnerable as of right now.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
2. Re:Do this right away by Tough+Love · 2018-10-21 17:22 · Score: 3, Informative
  
  Gah, typoed that. Should be:
  sudo apt update && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64
  Not sure which of those two libraries has the hole, maybe both.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
3. Re: Do this right away by brer_rabbit · 2018-10-21 17:56 · Score: 4, Funny
  
  Thanks for fixing, because I usually just cut & paste any sudo command.
4. Re: Do this right away by Tough+Love · 2018-10-21 18:02 · Score: 1
  
  Good work for spotting and pointing out the original problem, much more useful than posting a random snipe to the internet
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
No Update Yet by WindowsStar · 2018-10-21 15:36 · Score: 1

As of 2018-10-21 01:35 EDT three is no update for VLC Media Player they are still at 3.0.4 from a month or two back. Version 3.0.5 would be the updated version.
1. Re:No Update Yet by Tough+Love · 2018-10-21 16:56 · Score: 1
  
  3.0.5 is still a development branch, if you wait for that you will be waiting a long time. You need a security patch. Already landed in Debian/Sid, good luck with Windows.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
2. Re: No Update Yet by Tough+Love · 2018-10-21 16:58 · Score: 1
  
  Anything more than a few bytes is enough to own you.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
No, it doesn't affect *any* media player by Ross+Finlayson · 2018-10-21 16:29 · Score: 5, Informative

The bug - which has now been fixed in the LIVE555 library (with the fix already reported to Cisco) - affected only the LIVE555 library's implementation of a RTSP *server*. It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)
(I know this because I'm the author of the LIVE555 software :-)
1. Re:No, it doesn't affect *any* media player by Tough+Love · 2018-10-21 17:02 · Score: 1
  
  Thanks for that.
  
  --
  When all you have is a hammer, every problem starts to look like a thumb.
2. Re:No, it doesn't affect *any* media player by Anonymous Coward · 2018-10-21 17:49 · Score: 2, Insightful
  
  Wish I'd seen this *before* I caved in to everyone's panic and updated VLC, only to instantly discover that least one feature I constantly use was now totally broken. Thankfully the old versions were still available on the website.
  THIS IS WHY I NEVER UPDATE SHIT
3. Re: No, it doesn't affect *any* media player by jd · 2018-10-21 19:07 · Score: 1
  
  I greatly appreciate your post and rapid fix.
  Would static checkers have helped?
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
4. Re:No, it doesn't affect *any* media player by slashdot_commentator · 2018-10-21 20:00 · Score: 1
  
  Is any of the LIVE555 software used to stream VLC video to an android device? e.g. chromecasting or miracast(?) from a media PC to android TV?
  When vlc had the bug that wouldn't allow streaming from a vlc client on a PC to a TV (using chromecast), I recall a precursor protocol that allowed DLNA devices connectivity between each other for streaming purposes..
  
  --
  There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
5. Re:No, it doesn't affect *any* media player by mikelieman · 2018-10-21 20:44 · Score: 1
  
  It's 2018, and /. is still relevant ( 5 digit UID's represent!!! )
  
  --
  Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
6. Re:No, it doesn't affect *any* media player by DERoss · 2018-10-22 11:52 · Score: 1
  
  That is supported by a blog post at https://threatpost.com/critica.... It would be appreciated if people would learn the difference between a server and a client.
Question by jd · 2018-10-21 19:05 · Score: 1

Would any existing static checker free for use with open source have identified the bug?
If yes, then there should be an obligation to use them in key software.
If no, then we need to sort out the lack of testing common in the software industry as a whole.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
watch video offline by Asepsyaripudin · 2018-10-21 19:37 · Score: 1

if using the application only to watch offline videos affected?
Re:Bad Debian advice by Anonymous Coward · 2018-10-21 20:06 · Score: 1

Never 'apt upgrade' or perform any other apt operation without first running 'apt update' to make sure that you are working with the latest package sets.
People who complain about practically nonexistent problems such as "dependency hell" are always painting themselves into this corner...
No they aren't by campuscodi · 2018-10-21 23:24 · Score: 1

This article is grossly inaccurate and blatantly wrong. https://twitter.com/videolan/s... + https://twitter.com/hanno/stat...
Appears to be a false alarm: by Anonymous Coward · 2018-10-22 00:50 · Score: 1

"
Update:
According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”
"
Slashdot editors fix the headline and summary by caseih · 2018-10-22 01:59 · Score: 4, Informative

Please can the slashdot editors fix the headline and summary to reflect the actual situation as per Ross Finlayson's post. Which is to say Mplayer and VLC Media Player were not vulnerable and there's no need to panic. The article linked to in the summary is plain wrong and really needs to be retracted.
RTFA by notb666 · 2018-10-22 03:22 · Score: 3, Insightful

According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”