Slashdot Mirror

← Back to Stories (view on slashdot.org)

MPlayer, VLC Media Player Hit By Critical Vulnerability (hackread.com)

Posted by BeauHD on from the hit-and-run dept.

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

4 of 72 comments (clear)

  1. What is the updated version? by Registered+Coward+v2 · · Score: 4, Insightful

    It would be helpful if articles such as this listed what VLC versions (or other software) have addressed this flaw, rather than just say have the latest updated. From the article the assumption is if you have the Win/OS X/Linux updated to the latest version you are not vulnerable.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  2. No, it doesn't affect *any* media player by Ross+Finlayson · · Score: 5, Informative

    The bug - which has now been fixed in the LIVE555 library (with the fix already reported to Cisco) - affected only the LIVE555 library's implementation of a RTSP *server*. It doesn't affect the implementation of a RTSP *client*, which is the only part of the LIVE555 library that VLC and MPlayer use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555's.)

    (I know this because I'm the author of the LIVE555 software :-)

  3. Re: Do this right away by brer_rabbit · · Score: 4, Funny

    Thanks for fixing, because I usually just cut & paste any sudo command.

  4. Slashdot editors fix the headline and summary by caseih · · Score: 4, Informative

    Please can the slashdot editors fix the headline and summary to reflect the actual situation as per Ross Finlayson's post. Which is to say Mplayer and VLC Media Player were not vulnerable and there's no need to panic. The article linked to in the summary is plain wrong and really needs to be retracted.