Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday June 25 2019, @11:08PM   Printer-friendly
from the no-more-playing-around dept.

Submitted via IRC for SoyCow1944

An attacker could remotely take full control over a computer system while playing untrusted videos with any version of VLC media player software prior to 3.0.7.

The hack is possible due to two high-risk security flaws (CVE-2019-5439, CVE-2019-12874) that could potentially lead to arbitrary code execution attacks. The company Videolan also addressed many other medium and low-severity security vulnerabilities in its software.

"A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively" reads the security advisory published by the company. "If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user."

Source: https://securityaffairs.co/wordpress/87433/breaking-news/vlc-player-flaws.html


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Funny) by JoeMerchant on Wednesday June 26 2019, @01:23AM (3 children)

    by JoeMerchant (3937) on Wednesday June 26 2019, @01:23AM (#859949)

    I just checked the VLC installed in my Ubuntu 18.04.2 system: 3.0.4

    Unless you're specifically patching forward, standard "accept security updates" channels haven't addressed this flaw, yet.

    It's a good think I don't play videos I download from the internet, I just stream video from the cheap Chinese IP cameras, what could possibly go wrong? Seriously, though, I have a TrendNet 3MP PoE IP cam from about 4 years ago which persistently conspires with my router, opening holes in my firewall to publish itself on the internet.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Moderation   +2  
       Funny=2, Total=2
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Wednesday June 26 2019, @06:27AM (2 children)

    by Anonymous Coward on Wednesday June 26 2019, @06:27AM (#860009)

    Similar situation on fully patched Ubuntu 19.04. Currently on VLC v 3.0.6-1, no new version available.

    I wonder if confinement in the snap version of VLC (as opposed to the deb package) is much protection here? Despite the various problems I've had running snaps, security issues like this would seem a strong argument for running snap packages of apps like VLC that are frequently exposed to "untrusted content" and seem to be hotbeds of security vulnerabilities.

    • (Score: 0) by Anonymous Coward on Wednesday June 26 2019, @12:22PM (1 child)

      by Anonymous Coward on Wednesday June 26 2019, @12:22PM (#860058)

      Forget Ubuntu. Switch to Fedora. VLC 3.0.7.1 here. Directly from rpmfusion repos.

      • (Score: 2) by JoeMerchant on Thursday June 27 2019, @02:47AM

        by JoeMerchant (3937) on Thursday June 27 2019, @02:47AM (#860359)

        I think that's a difference between apt/deb and yum/rpm, mostly.

        I tried living with CentOS for over a year, about a year ago... didn't enjoy it much - not impossible, just more trouble overall than in Ubuntu.

        --
        🌻🌻 [google.com]