New Vulnerabilities in VLC

Questions about applications and software
Forum rules
Before you post please read how to get help
carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi »

The team of Vlc say it wasnt even a security fault in Vlc software to begin with and that they couldnt even reproduce "the bug". Some say it was a smear attack against Vlc or simply sensational click bait. Much to do about nothing...? Was this all a big hype about nothing serious?

Vlc is still like Asterix and Obelix, a strong minority, still standing strong in a world of commercialism. Millions of enthusiastic users but the Vlc team still wont place ads, even when they have been offered a lot of money to do so. They still wont sell your data either. They are still able to play every video format available. Their graphic user face is still nowhere near user friendly, but because they dont change a thing, once you know where to find some special setting, you know it will be still there in years to come...

User avatar
Pjotr
Level 21
Level 21
Posts: 14125
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

Pippin wrote:
Thu Jul 25, 2019 3:05 pm
I see the libeml update...
Is that the only update you see?
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Pippin
Level 4
Level 4
Posts: 325
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: New Vulnerabilities in VLC

Post by Pippin »

No, but that's the one needed to "stuff the hole".
"Today's scientists have substituted mathematics for experiments, and they wander off through equation after equation, and eventually build a structure which has no relation to reality."
Nikola Tesla

Pippin
Level 4
Level 4
Posts: 325
Joined: Wed Dec 13, 2017 11:14 am
Location: NL/DE/TH

Re: New Vulnerabilities in VLC

Post by Pippin »

carum carvi wrote:
Thu Jul 25, 2019 5:35 pm
The team of Vlc say it wasnt even a security fault in Vlc software to begin with
.........
Yup, it's libebml, which was outdated and I got that update today.
"Today's scientists have substituted mathematics for experiments, and they wander off through equation after equation, and eventually build a structure which has no relation to reality."
Nikola Tesla

User avatar
smurphos
Level 14
Level 14
Posts: 5169
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos »

carum carvi wrote:
Thu Jul 25, 2019 5:35 pm
The team of Vlc say it wasnt even a security fault in Vlc software to begin with and that they couldnt even reproduce "the bug". Some say it was a smear attack against Vlc or simply sensational click bait. Much to do about nothing...? Was this all a big hype about nothing serious?

Vlc is still like Asterix and Obelix, a strong minority, still standing strong in a world of commercialism. Millions of enthusiastic users but the Vlc team still wont place ads, even when they have been offered a lot of money to do so. They still wont sell your data either. They are still able to play every video format available. Their graphic user face is still nowhere near user friendly, but because they dont change a thing, once you know where to find some special setting, you know it will be still there in years to come...
Pippin wrote:
Thu Jul 25, 2019 6:04 pm
No, but that's the one needed to "stuff the hole".
There are 5 different vulnerabilities....

CVE-2019-13615 - vulnerability in libebml - this is the one that VLC say wasn't a VLC vulnerability as such.
https://people.canonical.com/~ubuntu-se ... 13615.html

Patched in Mint 18.x and 19.x - https://usn.ubuntu.com/4073-1/

CVE-2018-19857 - https://people.canonical.com/~ubuntu-se ... 19857.html
CVE-2019-12874 - https://people.canonical.com/~ubuntu-se ... 12874.html
CVE-2019-13602 - https://people.canonical.com/~ubuntu-se ... 13602.html
CVE-2019-5439 - https://people.canonical.com/~ubuntu-se ... -5439.html

These are all genuine VLC vulnerabilities and are patched in Mint 19.x only to date with VLC 3.07.1

https://usn.ubuntu.com/4074-1/

CVE-2019-12874 was the original subject of this thread.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

Glosoli
Level 1
Level 1
Posts: 32
Joined: Sat Feb 03, 2018 10:26 am

Re: New Vulnerabilities in VLC

Post by Glosoli »

Would firejail help against these kind of vulnerabilities?

User avatar
Pjotr
Level 21
Level 21
Posts: 14125
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

Glosoli wrote:
Fri Jul 26, 2019 11:22 am
Would firejail help against these kind of vulnerabilities?
Often, yes. It's prudent to make a habit of running your media players and your web browsers in the Firejail sandbox.
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi »

The irony of all this fuss about Vlc is that the latest release is the most secure and best tested Vlc version ever released, but lots of users are scared anyway, simply because of the media hype. I was scared as well at the beginning. For no reason it seems, because as far as I have understood it, there was supposedly a critical bug, which turned out to be not critical after all, because of a blunder a bughunter made. More bugs were found, but they were not critical at all.

Something that really bugs me about this whole Vlc media hype is the fact that bughunters Mitre and CVE never seem to notify the Vlc team beforehand when they find bugs. That is definitely not cool. Why do they wanna scare lots of users by publishing bugs without first giving the chance to the Vlc team in fixing alleged bugs? It seems that they DO report alleged bugs beforehand to big commercial companies, but not to an opensource organisation run by volunteers, like Vlc is. Why? The fact that there are millions of Vlc users should have made Mitre or CVE aware that releasing a critical bug report, out of the blue, would cause some panic among users.

gm10
Level 20
Level 20
Posts: 10882
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 »

carum carvi wrote:
Fri Jul 26, 2019 1:15 pm
The irony of all this fuss about Vlc is that the latest release is the most secure and best tested Vlc version ever released, but lots of users are scared anyway, simply because of the media hype. I was scared as well at the beginning. For no reason it seems, because as far as I have understood it, there was supposedly a critical bug, which turned out to be not critical after all, because of a blunder a bughunter made. More bugs were found, but they were not critical at all.
I sort of disagree. Without the media hype the VLC version in LM 19.x/Ubuntu 18.04 LTS would never have been updated to "the most secure and best tested Vlc version ever released". There had been several true VLC vulnerabilities with attached CVE's open for many months in the build in the repositories, and I am quite sure that would have continued that way until end of life of the OS without the media shitstorm.

Of course it sucks for the VLC developers, nothing is more annoying than having your old bugs haunt you because other people are still distributing them, but it's good for the users.
Tune up your LM 19+: ppa:gm10/linuxmint-tools

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi »

The Vlc team got the opportunity to receive money from the European Union for bug testing. Bugs were discovered and patched, which wouldnt have been discovered before. Therefore the Vlc team could confidently state that the latest Vlc version was the most secure and best tested version ever. But it got media flack anyway, because Mitre and CVE didnt give the Vlc team a chance to fix things beore they made the press release about the bugs. I especially dont understand this last part of this Vlc bug story...

Gm10, you say a media hype is a good thing, because things are set in motion because of it. You got a point. But wouldnt it have been nicer if the bugs were fixed first, before the press release? The fact that some Ubuntu developers had been sleeping for the past year could have been fixed behind close doors as well. Nobody would have had to panic. Does it really need a mediahype to make Ubuntu developers aware of bugs they are neglecting? That is not a good sign...

gm10
Level 20
Level 20
Posts: 10882
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 »

carum carvi wrote:
Fri Jul 26, 2019 1:39 pm
But it got media flack anyway, because Mitre and CVE didnt give the Vlc team a chance to fix things beore they made the press release about the bugs. I especially dont understand this last part of this Vlc bug story...
Now you're misunderstanding the entire CVE system. You (ideally) get a CVE regardless of whether the bug has been fixed already or not. The point is not to generate press but to serve as a database of vulnerabilities with certain versions.

Ubuntu typically only learns about security vulnerabilities to fix based on CVE availability generally (they do have their own security contact which works as well but for the majority of security updates that is not how they came to be). Case in point, the libebml issue was fixed upstream 16 months ago but they didn't issue a CVE so Debian and Ubuntu never knew and nothing ever got updated.
carum carvi wrote:
Fri Jul 26, 2019 1:39 pm
Gm10, you say a media hype is a good thing, because things are set in motion because of it. You got a point. But wouldnt it have been nicer if the bugs were fixed first, before the press release? The fact that some Ubuntu developers had been sleeping for the past year could have been fixed behind close doors as well. Nobody would have had to panic. Does it really need a mediahype to make Ubuntu developers aware of bugs they are neglecting? That is not a good sign...
Well, if I'm right the bugs would never have been fixed without the press releases, so while it would have been nice in an ideal world, in our present reality it wouldn't have been helpful to wait. It is very important to recall that this is not about Ubuntu's paid developers - VLC is in the unsupported repository, you are basically told up front that it will be neglected (which is the dangerous part about Mint's sweeping claims of 5 years LTS - only a very small part of Mint receives that support). With the media attention Ubuntu's security team did supply the fix despite that, however.

But because of that situation you can understand why Ubuntu is pushing so hard for container formats/snapd. With developers maintaining their own stuff in a container Ubuntu is completely out of the equation. But of course that just means that nobody would have looked so closely at the vulnerable library in their repos and it would have stayed vulnerable.
Tune up your LM 19+: ppa:gm10/linuxmint-tools

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi »

gm10 wrote:
Fri Jul 26, 2019 1:49 pm

Ubuntu typically only learns about security vulnerabilities to fix based on CVE availability generally (they do have their own security contact which works as well but for the majority of security updates that is not how they came to be).

I mentioned this question about why Mitre and CVE didnt warn Vlc beforehand, because the guys at Vlc were pretty frustrated about not getting noticed before any CVE release for the last years. Maybe in future CVE releases only critical bugs could be told in advance to software makers that have a large (millions) user base? Big commercial companies do seem to get told in advance all the time, according to those same frustrated Vlc guys.
gm10 wrote:
Fri Jul 26, 2019 1:49 pm
It is very important to recall that this is not about Ubuntu's paid developers - VLC is in the unsupported repository, you are basically told up front that it will be neglected (which is the dangerous part about Mint's sweeping claims of 5 years LTS - only a very small part of Mint receives that support).
Yes, thanks for me reminding me about that gm 10. The vulnerability in updates related to third party software in LinuxMint is something I recently became aware of thanks to another post of you concerning this issue. That's the reason I did what you described below, I switched to the flatpak version of Vlc. Flatpak provides good updates and is a better alternative for LinuxMInt users than Snap packages, as far as I have understood with my newbie knowledge of things... Correct me if I am wrong :D

gm10 wrote:
Fri Jul 26, 2019 1:49 pm
But because of that situation you can understand why Ubuntu is pushing so hard for container formats/snapd. With developers maintaining their own stuff in a container Ubuntu is completely out of the equation. But of course that just means that nobody would have looked so closely at the vulnerable library in their repos and it would have stayed vulnerable.
I can remember that you recently said that you wouldnt touch an OS that consisted of nothing but Snap packages, because it would mean LinuxMint would basically become as vulnerable as Windows. But gm10 would you prefer a situation in which a combination was present of a majority of LinuxMint software with some smaller amount of third party software packaged in Snap or Flatpak format?

gm10
Level 20
Level 20
Posts: 10882
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 »

carum carvi wrote:
Fri Jul 26, 2019 2:36 pm
gm10 wrote:
Fri Jul 26, 2019 1:49 pm

Ubuntu typically only learns about security vulnerabilities to fix based on CVE availability generally (they do have their own security contact which works as well but for the majority of security updates that is not how they came to be).

I mentioned this question about why Mitre and CVE didnt warn Vlc beforehand, because the guys at Vlc were pretty frustrated about not getting noticed before any CVE release for the last years. Maybe in future CVE releases only critical bugs could be told in advance to software makers that have a large (millions) user base? Big commercial companies do seem to get told in advance all the time, according to those same frustrated Vlc guys.
Well, again, Mitre is just maintaining the database, it's ultimately up to the security researcher to choose the form of disclosure they want to go with. The general consensus in the infosec community is that some form of responsible disclosure is preferred (i.e. ideally you contact the vendor, vendor provides a fix in a timely fashion, only then do you publicly disclose yourself), but there are no rules governing that and the consensus isn't universal, either. In this case VLC was publicly contacted 4 weeks prior to the CVE registration, so it's sort of a mixed thing.

Let's not forget that the vendor/developer messed up first by putting vulnerable software out there. Telling people about that doesn't automatically make you the bad guy, in particular with the VLC guys having their own little misinformation campaign going on (Ubuntu 18.04 LTS being an outdated operating system and all that). So I'm not going to pick sides in this one.
carum carvi wrote:
Fri Jul 26, 2019 2:36 pm
I can remember that you recently said that you wouldnt touch an OS that consisted of nothing but Snap packages, because it would mean LinuxMint would basically become as vulnerable as Windows. But gm10 would you prefer a situation in which a combination was present of a majority of LinuxMint software with some smaller amount of third party software packaged in Snap or Flatpak format?
Yes, I said that because it's not like the developers are the good guys and the maintainers are the bad guys. The bugs typically get created by the developers, not the maintainers, after all. To me the main reason why desktop Linux isn't such a virus-rich environment as Windows is - low popularity aside - the prevalent distribution model with maintained software repositories.

While fully recognizing the way a container format makes things so much easier for developers/maintainers, and the draw to users always wanting the latest and greatest, I do completely abhor the idea of them. They represent the worst of the Windows ecosystem to me, with every software installing their own outdated libraries into their installation folder so they do not have to deal with the situation of available system libraries of different versions. I know this is not the full reality for many libraries end up being shared in the container system after all, basically creating a second operating system layer within the host system - not a VM for there is no virtualization, just (very light) sandboxing, but otherwise a somewhat comparable separation of the software environment.

And I also know very well that the repository situation isn't ideal either with such a significant portion of Mint's official repositories essentially being unmaintained. But since you're asking for my preference then that preference would be to improve the repository model rather than move away from it. Ubuntu are complicating their situation with the LTS vs interim release model with the majority of the users being on LTS and most of the developers and maintainers being on the interim releases. If they cleaned that up they'd shed a lot of their problems with keeping things moving.

But hey, that is just my personal opinion, and I am not preaching it, except for saying that if you want the latest and greatest of everything you shouldn't be using an release based operating system in an LTS edition in the first place. ;)

Oh yes, and you should install my PPA for the latest and greatest, I'm sure you will agree that there is totally no contradiction in that. :lol:
Tune up your LM 19+: ppa:gm10/linuxmint-tools

User avatar
Pjotr
Level 21
Level 21
Posts: 14125
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

gm10 wrote:
Fri Jul 26, 2019 3:15 pm
Ubuntu are complicating their situation with the LTS vs interim release model with the majority of the users being on LTS and most of the developers and maintainers being on the interim releases. If they cleaned that up they'd shed a lot of their problems with keeping things moving.
Yes, I think it would be best if Ubuntu would simply get rid of the interim releases entirely. They're just noise on the radar.
Tip: 10 things to do after installing Linux Mint 19.3 Tricia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

gm10
Level 20
Level 20
Posts: 10882
Joined: Thu Jun 21, 2018 5:11 pm

Re: New Vulnerabilities in VLC

Post by gm10 »

Pjotr wrote:
Fri Jul 26, 2019 4:01 pm
gm10 wrote:
Fri Jul 26, 2019 3:15 pm
Ubuntu are complicating their situation with the LTS vs interim release model with the majority of the users being on LTS and most of the developers and maintainers being on the interim releases. If they cleaned that up they'd shed a lot of their problems with keeping things moving.
Yes, I think it would be best if Ubuntu would simply get rid of the interim releases entirely. They're just noise on the radar.
Basically. Or maybe do a rolling testing repo and freeze LTS releases out of that every 2 years.
Tune up your LM 19+: ppa:gm10/linuxmint-tools

carum carvi
Level 6
Level 6
Posts: 1029
Joined: Sun Apr 16, 2017 11:44 pm

Re: New Vulnerabilities in VLC

Post by carum carvi »

gm10 wrote:
Fri Jul 26, 2019 3:15 pm
To me the main reason why desktop Linux isn't such a virus-rich environment as Windows is - low popularity aside - the prevalent distribution model with maintained software repositories.

While fully recognizing the way a container format makes things so much easier for developers/maintainers, and the draw to users always wanting the latest and greatest, I do completely abhor the idea of them. They represent the worst of the Windows ecosystem to me, with every software installing their own outdated libraries into their installation folder so they do not have to deal with the situation of available system libraries of different versions.

But hey, that is just my personal opinion, and I am not preaching it, except for saying that if you want the latest and greatest of everything you shouldn't be using an release based operating system in an LTS edition in the first place. ;)
Always interesting to read your thoughts on these matters gm10. I often learn a lot by reading your experienced based insights. Thanks! :D

Post Reply

Return to “Software & Applications”