SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1944
An attacker could remotely take full control over a computer system while playing untrusted videos with any version of VLC media player software prior to 3.0.7.
The hack is possible due to two high-risk security flaws (CVE-2019-5439, CVE-2019-12874) that could potentially lead to arbitrary code execution attacks. The company Videolan also addressed many other medium and low-severity security vulnerabilities in its software.
"A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively" reads the security advisory published by the company. "If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user."
Source: https://securityaffairs.co/wordpress/87433/breaking-news/vlc-player-flaws.html
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday June 25 2019, @11:16PM (4 children)
It is a flaw and needs to be addressed. But to be sure there has to be an actor who's created exploit code and embedded it as part of the video. It is not that someone simply playing an untainted untrusted video who could have their system exploited. (Yeah, it reads that way when you read the full summary. But the first sentence and summary could be, "...computer system while playing exploited untrusted videos...")
I look forward to a patch. :)
This sig for rent.
(Score: 4, Funny) by JoeMerchant on Wednesday June 26 2019, @01:23AM (3 children)
I just checked the VLC installed in my Ubuntu 18.04.2 system: 3.0.4
Unless you're specifically patching forward, standard "accept security updates" channels haven't addressed this flaw, yet.
It's a good think I don't play videos I download from the internet, I just stream video from the cheap Chinese IP cameras, what could possibly go wrong? Seriously, though, I have a TrendNet 3MP PoE IP cam from about 4 years ago which persistently conspires with my router, opening holes in my firewall to publish itself on the internet.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @06:27AM (2 children)
Similar situation on fully patched Ubuntu 19.04. Currently on VLC v 3.0.6-1, no new version available.
I wonder if confinement in the snap version of VLC (as opposed to the deb package) is much protection here? Despite the various problems I've had running snaps, security issues like this would seem a strong argument for running snap packages of apps like VLC that are frequently exposed to "untrusted content" and seem to be hotbeds of security vulnerabilities.
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @12:22PM (1 child)
Forget Ubuntu. Switch to Fedora. VLC 3.0.7.1 here. Directly from rpmfusion repos.
(Score: 2) by JoeMerchant on Thursday June 27 2019, @02:47AM
I think that's a difference between apt/deb and yum/rpm, mostly.
I tried living with CentOS for over a year, about a year ago... didn't enjoy it much - not impossible, just more trouble overall than in Ubuntu.
🌻🌻 [google.com]
(Score: 2) by MostCynical on Tuesday June 25 2019, @11:31PM (4 children)
Don't run as admin.
Sudo is your friend.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Funny) by RamiK on Wednesday June 26 2019, @12:21AM (2 children)
compiling...
(Score: 3, Funny) by looorg on Wednesday June 26 2019, @01:35AM (1 child)
Since I missed the first four seasons and change, what the fuck did I miss?
(Score: 2) by http on Wednesday June 26 2019, @06:20AM
Fucking.
I browse at -1 when I have mod points. It's unsettling.
(Score: 0) by Anonymous Coward on Thursday June 27 2019, @03:14AM
Run vlc to view random videos using a "vlc-unsafe" user account. Use a wrapper script/alias to make it easier if you want.
Similarly use firefox-unsafe to browse SN etc using , firefox-bank1 for bank #1 and so on.
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @12:03AM (6 children)
What kind of newspeak is that? Do we have Untrusted Textfiles or even some Untrusted ASCII character too?
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @01:26AM (2 children)
>Do we have Untrusted Textfiles
Perhaps, but they generally don't have enough data to hide large malware in side channels, whereas everybody streaming Game of Thrones or whatever from pirate sites before it's aired... yeah, that qualifies as untrusted videos.
🌻🌻 [google.com]
(Score: 3, Touché) by PiMuNu on Wednesday June 26 2019, @04:51PM (1 child)
> > Do we have Untrusted Textfiles
>
> Perhaps, but they generally don't have enough data to hide large malware in side channels,
Vim:
https://www.techworm.net/2019/06/linux-vulnerability-vim-neovim-editor.html [techworm.net]
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @08:06PM
VI: there's no accounting for people with brain damage.
🌻🌻 [google.com]
(Score: 5, Funny) by takyon on Wednesday June 26 2019, @01:28AM
I prefer "hot video payloads".
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by pkrasimirov on Wednesday June 26 2019, @11:17AM (1 child)
> Do we have Untrusted Textfiles
Yes. Perhaps you missed the news: https://soylentnews.org/article.pl?sid=19/06/12/1429257 [soylentnews.org] Note even if you use cat it will still be hidden.
> even some Untrusted ASCII character too?
Of course, only these days it's Unicode. For example 卐 is illegal in Germany.
On a more technical note: https://en.wikipedia.org/wiki/IDN_homograph_attack [wikipedia.org] You can also look up UTF decoding attacks.
(Score: 2) by darkfeline on Friday June 28 2019, @07:31AM
Data IS code. This fact is more obvious for Lispers, but any data that is processed is manipulating the execution of code. Even something as simple as a csv passed into a sed process that substitutes tabs for commas, the csv is controlling the execution of the sed process.
Thus, the question is always, is it possible for an input supplied to your eval to cause it to do something unintentional. The more complex or powerful your eval is, the harder it is to ensure that some input doesn't cause unwanted behavior. It turns out decoding video is nontrivial, so it's not surprising that a crafted video could cause unwanted behavior in a video player.
If you pass a text file into a shell (even a restricted shell), then there's a pretty high probability that the text file could Fuck Your Shit Up, as shells are complex and powerful. Passing that file to cat, it's probably okay since cat is simple. But then that data goes to your terminal, and it turns out that terminals are pretty complex with all of those control codes...
Join the SDF Public Access UNIX System today!