Stories
Slash Boxes
Comments

SoylentNews is people

VLC: Vulnerability Not Found

posted by martyb on Thursday July 25 2019, @05:52PM   Printer-friendly
from the pics-or-it-didn't-happen dept.

takyon writes:

Alleged critical VLC flaw is nothing to worry about -- and is nothing to do with VLC

There has been a degree of confusion over the last few days after news spread of a supposed vulnerability in the media player VLC. Despite being labelled by security experts as "critical", VLC's developers, VideoLAN, denied there was a problem at all.

And they were right. While there is a vulnerability, it was in a third-party library, not VLC itself. On top of this, it is nowhere near as severe as first suggested. Oh -- and it was fixed over a year ago. An older version of Ubuntu Linux was to blame for the confusion.

The problem actually exists in a third-party library called libebml, and the issue was addressed some time ago. The upshot is that if you have updated VLC within the last year, there is no risk whatsoever. VLC's developers are understandably upset at the suggestion that their software was insecure.

Also at Tom's Hardware, Boing Boing, and The Register.

Original Submission

 
This discussion has been archived. No new comments can be posted.
VLC: Vulnerability Not Found | Log In/Create an Account | Top | 35 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by ikanreed on Thursday July 25 2019, @07:01PM (3 children)

    by ikanreed (3164) Subscriber Badge on Thursday July 25 2019, @07:01PM (#871197) Journal

    You missed a major dynamic linking advantage.

    Inter-oper-a-bil-ity. Application A can use the same damned apache installation and configuration as application B, because A and B dynamically link to the same centrally sourced cgi-bin. Application A spits out config files that Application B can use, because they both dynamically link to the same object serialization library.(Don't @ me that two different applications shouldn't be sharing a serialization format, it happens). Application A has an SSL standard that matches Application B elsewhere on the network, because they're both patched.

    If it were as easy as "Just static link dipshits" people would just static link.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by DannyB on Thursday July 25 2019, @07:19PM (1 child)

    by DannyB (5839) Subscriber Badge on Thursday July 25 2019, @07:19PM (#871210) Journal

    (Don't @ me that two different applications shouldn't be sharing a serialization format, it happens).

    Okay, I won't.

    But isn't using cgi-bin not such a good idea maybe?

    --
    To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.

    • (Score: 2) by ikanreed on Thursday July 25 2019, @07:27PM

      by ikanreed (3164) Subscriber Badge on Thursday July 25 2019, @07:27PM (#871214) Journal

      I dunno, I haven't done a proper apache stack in ages.

  • (Score: 2) by darkfeline on Saturday July 27 2019, @08:20AM

    by darkfeline (1030) on Saturday July 27 2019, @08:20AM (#871814) Homepage

    That sounds like a disadvantage, because application A invariably wants version X of the dependency and application B wants version Y of the dependency and God help you get both versions X and Y installed without breaking application C which wants version Z of the dependency.

    You don't need dynamic linking to share a configuration file.

    --
    Join the SDF Public Access UNIX System today!