New Vulnerabilities in VLC

Questions about applications and software
Forum rules
Before you post please read how to get help
User avatar
thx-1138
Level 8
Level 8
Posts: 2089
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: New Vulnerabilities in VLC

Post by thx-1138 »

carum carvi wrote:
Sat Jul 06, 2019 3:31 am
.........................................
...carum carvi: it all depends on someone's level of paranoia (or 'sensitivity', if you will).

VLC is probably the 2nd most widely used player out there (first one would be...Windows Media Player, for obvious reasons).
The VLC guy managed to get some money from EU to fund bug-hunting....
I assume such is because EU institutions probably use such for streaming / teleconferences or similar.

xplayer (and the rest of X-Apps) are forks from older versions of Gnome equivalents.
Gnome, besides obviously having way more developers, more or less resides under Red Hat's umbrella...
(so you also know that a certain amount of $ is quite likely spent in bug-hunting).

gm10's remark in regards to 'Universe' is spot on. Last time i had checked, there were about 120 people there,
where half of them were also either Canonical employees and / or Debian developers.
With snap being promoted, well, it makes no wonder that efforts in packaging will be spent elsewhere...
Pjotr wrote:
Sat Jul 06, 2019 4:43 am
.............................
...perhaps also because of it's small market share. :mrgreen:
The other day i stumbled upon this (bug report here).
Didn't tested it myself (quite a few others do report affected though), because i use...neither Cinnamon nor Blueberry.
Small market share or not, security through obscurity doesn't work i'm afraid.

User avatar
Pjotr
Level 21
Level 21
Posts: 14944
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

thx-1138 wrote:
Sat Jul 06, 2019 11:34 am
Small market share or not, security through obscurity doesn't work i'm afraid.
True, but for what it's worth.... :P
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
thx-1138
Level 8
Level 8
Posts: 2089
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: New Vulnerabilities in VLC

Post by thx-1138 »

Lol! Yes, i would agree it adds a certain additional level... :) :P
But if someone asked me specifically about Mint('s sub-projects), i do have to say that at moments,
i am indeed somewhat concerned if they do expand to more areas than it is actually affordable for a small team...
Referring to X-Apps obviously - in the sense, separately writing / maintaining video players, image viewers or pdf readers,
that have to parse numerous file formats & validate such properly, is not exactly the easiest thing per se (see VLC)...

/me enters Theo-de-Raadt mode... :lol:

User avatar
Pjotr
Level 21
Level 21
Posts: 14944
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

thx-1138 wrote:
Sat Jul 06, 2019 11:48 am
But if someone asked me specifically about Mint('s sub-projects), i do have to say that at moments,
i am indeed somewhat concerned if they do expand to more areas than it is actually affordable for a small team...
Referring to X-Apps obviously - in the sense, separately writing / maintaining video players, image viewers or pdf readers,
that have to parse numerous file formats & validate such properly, is not exactly the easiest thing per se (see VLC)...
Good point.
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

carum carvi
Level 6
Level 6
Posts: 1208
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi »

smurphos wrote:
Fri Jul 05, 2019 1:15 am
Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.
thx-1138 wrote:
Sat Jul 06, 2019 11:34 am
With snap being promoted, well, it makes no wonder that efforts in packaging will be spent elsewhere...
The newest Vlc edition with security fixes, is also available as a flatpak, as Smurphos mentioned earlier. Easily downloadable from the LinuxMint software manager. Just mentioning this fact again for anyone reading this post and wanting to download the latest Vlc software with the newest security fixes.

Just read about the differences between flatpak and snap. Some observations: flatpak software seems to need a lot less cpu sources compared to Snap, almost half as less. Flatpak is integrated into LinuxMint's software manager, while Snap is not. Flatpak is mostly opensource, while Snap is not. All this is ofcourse old hat for any of the more experienced users, but I am mentioning this for any low level users and newbies who just want a safe and working Vlc Mediaplayer by using the newest Vlc flatpak version...

Updates in Flatpak are or aren't automated? Still not sure...

User avatar
smurphos
Level 16
Level 16
Posts: 6729
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos »

carum carvi wrote:
Sun Jul 07, 2019 6:26 am
Updates in Flatpak are or aren't automated? Still not sure...
As long as you haven't disabled the Flatpak startup application job yes they are.

The script that startup job runs is /usr/bin/mintinstall-update-flatpak which logs the output to ~/.cache/mintinstall/flatpack-update.log

I wanted a more in-yer-face alert of any flatpak updates so made a copy of /usr/bin/mintinstall-update-flatpak in ~/.local/bin and added an extra line to output the log as a notification.

Code: Select all

#!/bin/bash
mkdir -p ~/.cache/mintinstall
flatpak update -y > ~/.cache/mintinstall/flatpak-update.log
notify-send "Flatpak update - $(cat ~/.cache/mintinstall/flatpak-update.log)"
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

carum carvi
Level 6
Level 6
Posts: 1208
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi »

Many thanks for that notification alert Smurphos.

I did indeed disable the automatic start up of flatpak :oops: , because I thought I didnt need it anyway, but I have enabled it again...

Glosoli
Level 1
Level 1
Posts: 32
Joined: Sat Feb 03, 2018 10:26 am

Re: New Vulnerabilities in VLC

Post by Glosoli »

smurphos wrote:
Sun Jul 07, 2019 7:19 am
carum carvi wrote:
Sun Jul 07, 2019 6:26 am
Updates in Flatpak are or aren't automated? Still not sure...
As long as you haven't disabled the Flatpak startup application job yes they are.

The script that startup job runs is /usr/bin/mintinstall-update-flatpak which logs the output to ~/.cache/mintinstall/flatpack-update.log

I wanted a more in-yer-face alert of any flatpak updates so made a copy of /usr/bin/mintinstall-update-flatpak in ~/.local/bin and added an extra line to output the log as a notification.

Code: Select all

#!/bin/bash
mkdir -p ~/.cache/mintinstall
flatpak update -y > ~/.cache/mintinstall/flatpak-update.log
notify-send "Flatpak update - $(cat ~/.cache/mintinstall/flatpak-update.log)"
Hi,
I don't have a bin folder in .local, should I create one?

User avatar
smurphos
Level 16
Level 16
Posts: 6729
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos »

Glosoli wrote:
Sun Jul 07, 2019 11:43 am
Hi,
I don't have a bin folder in .local, should I create one?
Yes, once you created the folder and logged off and back on at least once the directory is automatically added to your $PATH with precedence over /usr/share/bin so the copied and amended version of the script will take precedence over the system copy.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
Pjotr
Level 21
Level 21
Posts: 14944
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

Today, from the official repo's (click on the image to enlarge it):
Image

A security update for VLC. Updating it to version 3.0.7.1. Nice work from the MOTU's. It shows that certain high-profile critical software in the Universe repo, is being kept secure alright. Even though it's "only" community-maintained. :mrgreen:
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

cliffcoggin
Level 5
Level 5
Posts: 968
Joined: Sat Sep 17, 2016 6:40 pm
Location: England

Re: New Vulnerabilities in VLC

Post by cliffcoggin »

I see that update is for Ubuntu 18.04 which I believe is equivalent to Linux Mint 19. Do you know if Mint 18.3 will also be updated? I deleted VLC when the problem arose and shan't re-install if there is no update.
Cliff Coggin
Mint 19.2 Cinnamon

athi
Level 6
Level 6
Posts: 1459
Joined: Sun Mar 30, 2014 10:15 am
Location: USA

Re: New Vulnerabilities in VLC

Post by athi »

Got the VLC update this morning with Mate 19.1
Mint Mate 19.1. Main rig is HP 800G2 I5 6500 16GB ram, 120GB boot drive, 2x3TB, 1x4TB data drives. Oldest rig is Mate 18.3 on Dell D620 with 32bits core duo.

User avatar
smurphos
Level 16
Level 16
Posts: 6729
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos »

cliffcoggin wrote:
Thu Jul 25, 2019 12:23 pm
Do you know if Mint 18.3 will also be updated?
Not yet by the looks of it. One of the four CVE's partched....all of them still say needed for Xenial.
https://people.canonical.com/~ubuntu-se ... 1515244911
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
zcot
Level 5
Level 5
Posts: 882
Joined: Wed Oct 19, 2016 6:08 pm

Re: New Vulnerabilities in VLC

Post by zcot »

cliffcoggin wrote:
Thu Jul 25, 2019 12:23 pm
I see that update is for Ubuntu 18.04 which I believe is equivalent to Linux Mint 19. Do you know if Mint 18.3 will also be updated? I deleted VLC when the problem arose and shan't re-install if there is no update.
Also mentioned earlier, the flatpak version is at 3.0.7.1 updated recently. https://flathub.org/apps/details/org.videolan.VLC and also: https://www.pcgamer.com/vlc-media-playe ... rity-flaw/

Pippin
Level 4
Level 4
Posts: 349
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: New Vulnerabilities in VLC

Post by Pippin »

Just got the update on 18.3

Code: Select all

libebml (1.3.3-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: heap-based out of bounds read
    - debian/patches/CVE-2019-13615-1.patch: check the max size to read
      before actually reading in src/EbmlElement.cpp.
    - debian/patches/CVE-2019-13615-2.patch: do not output an element with
      size Unknown if it's not allowed in src/EbmlElement.cpp.
    - debian/patches/CVE-2019-13615-3.patch: exit the max size loop when
      there's nothing left possible to find in src/EbmlElement.cpp.
    - debian/patches/CVE-2019-13615-4.patch: rework the way we look at the
      end boundary when looking an element in a parent in
      src/EbmlElement.cpp.
    - CVE-2019-13615
Peer review = Ossification of current assumptions, the censorship of competing hypotheses.

Mathematical proofs = Elegant consistencies within a synthetic man-made universe.
Models are not reality, no matter how elegant.

cliffcoggin
Level 5
Level 5
Posts: 968
Joined: Sat Sep 17, 2016 6:40 pm
Location: England

Re: New Vulnerabilities in VLC

Post by cliffcoggin »

smurphos wrote:
Thu Jul 25, 2019 12:50 pm
cliffcoggin wrote:
Thu Jul 25, 2019 12:23 pm
Do you know if Mint 18.3 will also be updated?
Not yet by the looks of it. One of the four CVE's partched....all of them still say needed for Xenial.
https://people.canonical.com/~ubuntu-se ... 1515244911
Thanks Smurphos. I'll stick with whatever I installed in place of VLC. (I don't recall what it is called.)
Cliff Coggin
Mint 19.2 Cinnamon

User avatar
smurphos
Level 16
Level 16
Posts: 6729
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos »

Pippin wrote:
Thu Jul 25, 2019 1:04 pm
Just got the update on 18.3
Different vulnerability.... :wink:
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

Pippin
Level 4
Level 4
Posts: 349
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: New Vulnerabilities in VLC

Post by Pippin »

Really? Have i missed something?

Edit: Ah yes, I see, this is the other one...
https://www.ghacks.net/2019/07/24/confu ... erability/
https://mobile.twitter.com/TheRegister/ ... 768384?p=v
Last edited by Pippin on Thu Jul 25, 2019 3:05 pm, edited 3 times in total.
Peer review = Ossification of current assumptions, the censorship of competing hypotheses.

Mathematical proofs = Elegant consistencies within a synthetic man-made universe.
Models are not reality, no matter how elegant.

User avatar
Pjotr
Level 21
Level 21
Posts: 14944
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

Pippin wrote:
Thu Jul 25, 2019 2:55 pm
Really? Have i missed something?
Yes. See my previous message and study the screenshot closely. :mrgreen:
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Pippin
Level 4
Level 4
Posts: 349
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: New Vulnerabilities in VLC

Post by Pippin »

I see the libeml update...
Peer review = Ossification of current assumptions, the censorship of competing hypotheses.

Mathematical proofs = Elegant consistencies within a synthetic man-made universe.
Models are not reality, no matter how elegant.

Post Reply

Return to “Software & Applications”