Slashdot Mirror

← Back to Stories (view on slashdot.org)

MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com)

Posted by BeauHD on from the hit-and-run dept.

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

10 of 72 comments (clear)

  1. VLC hasn't been updated... by dicobalt · · Score: 2

    It's still 3.0.4 which I've had for a while now.

    1. Re:VLC hasn't been updated... by ShaunC · · Score: 2

      Yep, 3.0.4 came out on August 31. I don't see anything on their website or FTP server about a newer release.

      The dev changelog does refer to a version 3.0.5, but the changes listed there don't include fixing this vulnerability.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:VLC hasn't been updated... by LuniticusTheSane · · Score: 3, Interesting

      Ver 3.0.3 "Updates 3rd party libraries for security issues"

  2. What is the updated version? by Registered+Coward+v2 · · Score: 4, Insightful

    It would be helpful if articles such as this listed what VLC versions (or other software) have addressed this flaw, rather than just say have the latest updated. From the article the assumption is if you have the Win/OS X/Linux updated to the latest version you are not vulnerable.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  3. No, it doesn't affect *any* media player by Ross+Finlayson · · Score: 5, Informative

    The bug - which has now been fixed in the LIVE555 library (with the fix already reported to Cisco) - affected only the LIVE555 library's implementation of a RTSP *server*. It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)

    (I know this because I'm the author of the LIVE555 software :-)

    1. Re:No, it doesn't affect *any* media player by Anonymous Coward · · Score: 2, Insightful

      Wish I'd seen this *before* I caved in to everyone's panic and updated VLC, only to instantly discover that least one feature I constantly use was now totally broken. Thankfully the old versions were still available on the website.

      THIS IS WHY I NEVER UPDATE SHIT

  4. Re:Do this right away by Tough+Love · · Score: 3, Informative

    Gah, typoed that. Should be:

            sudo apt update && sudo apt install liblivemedia62:amd64 liblivemedia64:amd64

    Not sure which of those two libraries has the hole, maybe both.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
  5. Re: Do this right away by brer_rabbit · · Score: 4, Funny

    Thanks for fixing, because I usually just cut & paste any sudo command.

  6. Slashdot editors fix the headline and summary by caseih · · Score: 4, Informative

    Please can the slashdot editors fix the headline and summary to reflect the actual situation as per Ross Finlayson's post. Which is to say Mplayer and VLC Media Player were not vulnerable and there's no need to panic. The article linked to in the summary is plain wrong and really needs to be retracted.

  7. RTFA by notb666 · · Score: 3, Insightful

    According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”