New Vulnerabilities in VLC

Questions about applications and software
Forum rules
Before you post please read how to get help
ejazzkatt
Level 4
Level 4
Posts: 203
Joined: Sat Nov 30, 2013 10:03 am

New Vulnerabilities in VLC

Post by ejazzkatt » Wed Jul 03, 2019 2:25 pm

Make Tech Easier has a recent article about vulnerabilities in VLC. It says that the safe versions are 3.0.7 and above.

https://www.maketecheasier.com/hackers- ... abilities/
Does anyone know if this is a problem in Linux versions of VLC? If so, should I install a version outside of the repositories?

User avatar
Pjotr
Level 21
Level 21
Posts: 13876
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr » Wed Jul 03, 2019 2:34 pm

Don't put too much value on the upstream version number. Often, the Ubuntu/Mint devs prefer cherry-picking security fixes and backporting them into an older version.
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

gm10
Level 20
Level 20
Posts: 10290
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 » Wed Jul 03, 2019 3:03 pm

ejazzkatt wrote:
Wed Jul 03, 2019 2:25 pm
Does anyone know if this is a problem in Linux versions of VLC?
Yes. The vulnerability was even discovered on Linux. ;)
ejazzkatt wrote:
Wed Jul 03, 2019 2:25 pm
If so, should I install a version outside of the repositories?
Depends on your usage. If you do not download files from untrusted sources or at least not in Matroska format then the vulnerability won't affect you. Otherwise yes, probably, or use another player while you wait for vlc to get fixed in Ubuntu and thus Mint. Here's the status:
https://people.canonical.com/~ubuntu-se ... 12874.html

Anti-virus products can also detect malformed Matroska files but I cannot recommend one here for lack of experience with them.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

ejazzkatt
Level 4
Level 4
Posts: 203
Joined: Sat Nov 30, 2013 10:03 am

Re: New Vulnerabilities in VLC

Post by ejazzkatt » Wed Jul 03, 2019 6:45 pm

Thank you both for your replies.

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi » Wed Jul 03, 2019 10:23 pm

Quted from Videolan.org:
Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.


VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file
My question is HOW to disable VLC browser plugins? Because that is mentioned on Videolan.org as an alternative protection.

all41
Level 15
Level 15
Posts: 5715
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: New Vulnerabilities in VLC

Post by all41 » Wed Jul 03, 2019 10:49 pm

refrain from opening files from untrusted third parties
How are we to know who is trustworthy?

ejazzkatt
Level 4
Level 4
Posts: 203
Joined: Sat Nov 30, 2013 10:03 am

Re: New Vulnerabilities in VLC

Post by ejazzkatt » Wed Jul 03, 2019 11:40 pm

good question, Carum Carvi. And do we need to disable all of the plugins or just one plugin?

User avatar
Pjotr
Level 21
Level 21
Posts: 13876
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr » Thu Jul 04, 2019 4:54 am

Some notes:

- By default, you don't have a VLC browser plugin in Firefox. You can check that easily in your web browser. So by default, no worries about Firefox plugins.

- The need for extra carefulness apparently only arises when handling Matroska files (.mkv, .mk3d, .mka, .mks). Not for other file types, at least probably not in Linux. If you have a Matroska file on your hard disk, you can right-click it and (for the time being) change the default association for it (and for the likes of it) into another media player.

- As an extra precaution it might help to run VLC, for the time being, in the Firejail sandbox.

- Don't panic. The Ubuntu devs are working on it.... :mrgreen:
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

gm10
Level 20
Level 20
Posts: 10290
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 » Thu Jul 04, 2019 5:58 am

Pjotr wrote:
Thu Jul 04, 2019 4:54 am
The Ubuntu devs are working on it.... :mrgreen:
Careful with such promises. VLC is in the universe repo, meaning it is not supported by Ubuntu, only by the volunteer community maintainers - who may or may not want to try to SRU this to v3.0.7. Debian has already updated though so I'd hope somebody will copy it over.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
Pjotr
Level 21
Level 21
Posts: 13876
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr » Thu Jul 04, 2019 6:01 am

gm10 wrote:
Thu Jul 04, 2019 5:58 am
Pjotr wrote:
Thu Jul 04, 2019 4:54 am
The Ubuntu devs are working on it.... :mrgreen:
Careful with such promises. VLC is in the universe repo, meaning it is not supported by Ubuntu, only by the volunteer community maintainers - who may or may not want to try to SRU this to v3.0.7.
True. But in the past, the Masters of the Universe (MOTU's) have usually been swift with security fixes for critical high-profile software like VLC....
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

ejazzkatt
Level 4
Level 4
Posts: 203
Joined: Sat Nov 30, 2013 10:03 am

Re: New Vulnerabilities in VLC

Post by ejazzkatt » Thu Jul 04, 2019 7:11 pm

Thanks for the useful information!

User avatar
smurphos
Level 13
Level 13
Posts: 4830
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos » Fri Jul 05, 2019 1:15 am

Pjotr wrote:
Thu Jul 04, 2019 6:01 am
True. But in the past, the Masters of the Universe (MOTU's) have usually been swift with security fixes for critical high-profile software like VLC....
Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.

Upstream Debian released 3.0.7 on 9th June in Stretch & 7th June in Buster. There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version.

In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) - https://people.canonical.com/~ubuntu-se ... 19857.html.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

gm10
Level 20
Level 20
Posts: 10290
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 » Fri Jul 05, 2019 4:33 am

smurphos wrote:
Fri Jul 05, 2019 1:15 am
There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version.
There's no pending SRU for vlc even for the old CVE. As I always say, for practical purposes you have to consider the universe repo as unsupported, most software in there never receives a bug fix after a new Ubuntu version has been released.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi » Fri Jul 05, 2019 5:08 am

gm10 wrote:
Fri Jul 05, 2019 4:33 am
As I always say, for practical purposes you have to consider the universe repo as unsupported, most software in there never receives a bug fix after a new Ubuntu version has been released.
smurphos wrote:
Fri Jul 05, 2019 1:15 am
Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.

There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version. In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) -
Wow. That's a wake up call for me. I never considered software from the universe repo to be a security risk. But I will choose such third party software more carefully from now on. I think I will not choose the option to install third party software anymore during a new install of Linux Mint.

Will there be an updated flatpak version of Vlc available in LinuxMint in the foreseeable future that we can download? I just found out that I can use snap packages as well in LinuxMInt if I first install snapd from within the software manager. An informative link about how to install snap packages in LinuxMint is found below, because I really cant live without Vlc. I am a diehard Vlc user...happily so...

https://www.reallinuxuser.com/how-to-us ... inux-mint/

User avatar
smurphos
Level 13
Level 13
Posts: 4830
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos » Fri Jul 05, 2019 8:32 am

The flatpak is at version 3.0.7.1 so is the latest stable release
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
thx-1138
Level 7
Level 7
Posts: 1926
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: New Vulnerabilities in VLC

Post by thx-1138 » Fri Jul 05, 2019 9:57 am

...while you can all be certain that xplayer, pix & xed get fuzzed daily from independent researchers... :mrgreen:

gm10
Level 20
Level 20
Posts: 10290
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 » Fri Jul 05, 2019 10:00 am

thx-1138 wrote:
Fri Jul 05, 2019 9:57 am
...while you can all be certain that xplayer, pix & xed get fuzzed daily from independent researchers... :mrgreen:
At least. :lol:
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi » Sat Jul 06, 2019 3:31 am

smurphos wrote:
Fri Jul 05, 2019 8:32 am
The flatpak is at version 3.0.7.1 so is the latest stable release
Thanks for that tip Smurphos!

Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?

Independent research for critical security risks is ofcourse NOT the case with all the standard software in LinuxMint. But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...
Last edited by carum carvi on Sun Jul 07, 2019 5:22 am, edited 1 time in total.

gm10
Level 20
Level 20
Posts: 10290
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 » Sat Jul 06, 2019 4:34 am

carum carvi wrote:
Sat Jul 06, 2019 3:31 am
Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?
https://en.wikipedia.org/wiki/Fuzzing
carum carvi wrote:
Sat Jul 06, 2019 3:31 am
But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...
Are we though? I'm not using any of the software he listed (but not for security reasons). The more relevant argument is probably that those apps use common libraries and file format related vulnerabilities in those would impact a much larger user/application base, so you can hope they would be discovered.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
Pjotr
Level 21
Level 21
Posts: 13876
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr » Sat Jul 06, 2019 4:43 am

carum carvi wrote:
Sat Jul 06, 2019 3:31 am
Since you guys, as experienced forum users, are all using standard LinuxMint software
Well, I am. :mrgreen:

My take: in real life, Ubuntu/Mint is pretty secure. For various reasons. In certain cases (not overly diligent MOTU's) perhaps also because of it's small market share. :mrgreen:
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Software & Applications”