Amii_Leigh wrote:My current version of VLC is 2.2.1 Should I try to update it somehow? I'm using Cinnamon.Will this be an issue addressed by some future update?
I don't know. You use the Ubuntu-based Mint, right? That setup might be different from LMDE (which is what I'm using). My first instinct would be to say, yes, find a way to update.
Now I wouldn't panic though... as long as you're not downloading random videos from online you should be (temporarily?) fine. All of the exploits I read--and I didn't read all of them--required the victim to play a specially-crafted file* that you are highly unlikely to have in your personal library.
But still, I would instinctively say to find a way to update it as soon as it is convenient.
Cosmos' concerns re the LTS nature of Ubuntu and the Ubuntu-based Mint spring to mind, with VLC not being properly maintained.
xenopeek: that's a very good point about firejail. Thankfully I've been running vlc in firejail and I haven't played any untrusted videos.
Code: Select all
# VLC media player profile
noblacklist ${HOME}/.config/vlc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
# to test
shell none
private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
As you can see there is thankfully a private-bin filter so an attacker will be limited in what he can launch outside of vlc. On the other hand, I don't know if any of the attacks required launching additional programmes... I don't believe they did so this wouldn't stop them, only (hopefully) mitigate the damage.
Network access is still allowed (due to vlc being used for streaming, I suppose) and the profile isn't terribly tight either. If you run
firejail --audit /etc/firejail/vlc.profile
you can see there are a few "MAYBE"s in there. Most concerning would be that /dev is entirely visible (probably because a few chaps use vlc to capture video) to firejailed vlc.
(Off-topic: fjaudit is shaping up nicely!)
I removed vlc several hours ago and reinstalled from Stable--it was harder than I expected. apt insisted on reinstalling from dmo even when I specified
apt-get install -t stable vlc vlc-all-the-other-packages
so I finally had to open the sources list, comment out dmo, and then install.
I use MATE, not Cinnamon, and if I want to stream something I'll just use my browser, so I may try removing the other dmo packages and seeing what happens. Flame-thrower time!
*"Specially crafted file"... ugh, I've been reading too many Microsoft bug reports.
EDIT: Thanks for the info, Zill.