Page 1 of 3

New Vulnerabilities in VLC

Posted: Wed Jul 03, 2019 2:25 pm
by ejazzkatt
Make Tech Easier has a recent article about vulnerabilities in VLC. It says that the safe versions are 3.0.7 and above.

https://www.maketecheasier.com/hackers- ... abilities/
Does anyone know if this is a problem in Linux versions of VLC? If so, should I install a version outside of the repositories?

Re: New Vulnerabilities in VLC

Posted: Wed Jul 03, 2019 2:34 pm
by Pjotr
Don't put too much value on the upstream version number. Often, the Ubuntu/Mint devs prefer cherry-picking security fixes and backporting them into an older version.

Re: New Vulnerabilities in VLC

Posted: Wed Jul 03, 2019 3:03 pm
by gm10
ejazzkatt wrote:
Wed Jul 03, 2019 2:25 pm
Does anyone know if this is a problem in Linux versions of VLC?
Yes. The vulnerability was even discovered on Linux. ;)
ejazzkatt wrote:
Wed Jul 03, 2019 2:25 pm
If so, should I install a version outside of the repositories?
Depends on your usage. If you do not download files from untrusted sources or at least not in Matroska format then the vulnerability won't affect you. Otherwise yes, probably, or use another player while you wait for vlc to get fixed in Ubuntu and thus Mint. Here's the status:
https://people.canonical.com/~ubuntu-se ... 12874.html

Anti-virus products can also detect malformed Matroska files but I cannot recommend one here for lack of experience with them.

Re: New Vulnerabilities in VLC

Posted: Wed Jul 03, 2019 6:45 pm
by ejazzkatt
Thank you both for your replies.

Re: New Vulnerabilities in VLC

Posted: Wed Jul 03, 2019 10:23 pm
by carum carvi
Quted from Videolan.org:
Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.


VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file
My question is HOW to disable VLC browser plugins? Because that is mentioned on Videolan.org as an alternative protection.

Re: New Vulnerabilities in VLC

Posted: Wed Jul 03, 2019 10:49 pm
by all41
refrain from opening files from untrusted third parties
How are we to know who is trustworthy?

Re: New Vulnerabilities in VLC

Posted: Wed Jul 03, 2019 11:40 pm
by ejazzkatt
good question, Carum Carvi. And do we need to disable all of the plugins or just one plugin?

Re: New Vulnerabilities in VLC

Posted: Thu Jul 04, 2019 4:54 am
by Pjotr
Some notes:

- By default, you don't have a VLC browser plugin in Firefox. You can check that easily in your web browser. So by default, no worries about Firefox plugins.

- The need for extra carefulness apparently only arises when handling Matroska files (.mkv, .mk3d, .mka, .mks). Not for other file types, at least probably not in Linux. If you have a Matroska file on your hard disk, you can right-click it and (for the time being) change the default association for it (and for the likes of it) into another media player.

- As an extra precaution it might help to run VLC, for the time being, in the Firejail sandbox.

- Don't panic. The Ubuntu devs are working on it.... :mrgreen:

Re: New Vulnerabilities in VLC

Posted: Thu Jul 04, 2019 5:58 am
by gm10
Pjotr wrote:
Thu Jul 04, 2019 4:54 am
The Ubuntu devs are working on it.... :mrgreen:
Careful with such promises. VLC is in the universe repo, meaning it is not supported by Ubuntu, only by the volunteer community maintainers - who may or may not want to try to SRU this to v3.0.7. Debian has already updated though so I'd hope somebody will copy it over.

Re: New Vulnerabilities in VLC

Posted: Thu Jul 04, 2019 6:01 am
by Pjotr
gm10 wrote:
Thu Jul 04, 2019 5:58 am
Pjotr wrote:
Thu Jul 04, 2019 4:54 am
The Ubuntu devs are working on it.... :mrgreen:
Careful with such promises. VLC is in the universe repo, meaning it is not supported by Ubuntu, only by the volunteer community maintainers - who may or may not want to try to SRU this to v3.0.7.
True. But in the past, the Masters of the Universe (MOTU's) have usually been swift with security fixes for critical high-profile software like VLC....

Re: New Vulnerabilities in VLC

Posted: Thu Jul 04, 2019 7:11 pm
by ejazzkatt
Thanks for the useful information!

Re: New Vulnerabilities in VLC

Posted: Fri Jul 05, 2019 1:15 am
by smurphos
Pjotr wrote:
Thu Jul 04, 2019 6:01 am
True. But in the past, the Masters of the Universe (MOTU's) have usually been swift with security fixes for critical high-profile software like VLC....
Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.

Upstream Debian released 3.0.7 on 9th June in Stretch & 7th June in Buster. There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version.

In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) - https://people.canonical.com/~ubuntu-se ... 19857.html.

Re: New Vulnerabilities in VLC

Posted: Fri Jul 05, 2019 4:33 am
by gm10
smurphos wrote:
Fri Jul 05, 2019 1:15 am
There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version.
There's no pending SRU for vlc even for the old CVE. As I always say, for practical purposes you have to consider the universe repo as unsupported, most software in there never receives a bug fix after a new Ubuntu version has been released.

Re: New Vulnerabilities in VLC

Posted: Fri Jul 05, 2019 5:08 am
by carum carvi
gm10 wrote:
Fri Jul 05, 2019 4:33 am
As I always say, for practical purposes you have to consider the universe repo as unsupported, most software in there never receives a bug fix after a new Ubuntu version has been released.
smurphos wrote:
Fri Jul 05, 2019 1:15 am
Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.

There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version. In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) -
Wow. That's a wake up call for me. I never considered software from the universe repo to be a security risk. But I will choose such third party software more carefully from now on. I think I will not choose the option to install third party software anymore during a new install of Linux Mint.

Will there be an updated flatpak version of Vlc available in LinuxMint in the foreseeable future that we can download? I just found out that I can use snap packages as well in LinuxMInt if I first install snapd from within the software manager. An informative link about how to install snap packages in LinuxMint is found below, because I really cant live without Vlc. I am a diehard Vlc user...happily so...

https://www.reallinuxuser.com/how-to-us ... inux-mint/

Re: New Vulnerabilities in VLC

Posted: Fri Jul 05, 2019 8:32 am
by smurphos
The flatpak is at version 3.0.7.1 so is the latest stable release

Re: New Vulnerabilities in VLC

Posted: Fri Jul 05, 2019 9:57 am
by thx-1138
...while you can all be certain that xplayer, pix & xed get fuzzed daily from independent researchers... :mrgreen:

Re: New Vulnerabilities in VLC

Posted: Fri Jul 05, 2019 10:00 am
by gm10
thx-1138 wrote:
Fri Jul 05, 2019 9:57 am
...while you can all be certain that xplayer, pix & xed get fuzzed daily from independent researchers... :mrgreen:
At least. :lol:

Re: New Vulnerabilities in VLC

Posted: Sat Jul 06, 2019 3:31 am
by carum carvi
smurphos wrote:
Fri Jul 05, 2019 8:32 am
The flatpak is at version 3.0.7.1 so is the latest stable release
Thanks for that tip Smurphos!

Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?

Independent research for critical security risks is ofcourse NOT the case with all the standard software in LinuxMint. But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...

Re: New Vulnerabilities in VLC

Posted: Sat Jul 06, 2019 4:34 am
by gm10
carum carvi wrote:
Sat Jul 06, 2019 3:31 am
Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?
https://en.wikipedia.org/wiki/Fuzzing
carum carvi wrote:
Sat Jul 06, 2019 3:31 am
But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...
Are we though? I'm not using any of the software he listed (but not for security reasons). The more relevant argument is probably that those apps use common libraries and file format related vulnerabilities in those would impact a much larger user/application base, so you can hope they would be discovered.

Re: New Vulnerabilities in VLC

Posted: Sat Jul 06, 2019 4:43 am
by Pjotr
carum carvi wrote:
Sat Jul 06, 2019 3:31 am
Since you guys, as experienced forum users, are all using standard LinuxMint software
Well, I am. :mrgreen:

My take: in real life, Ubuntu/Mint is pretty secure. For various reasons. In certain cases (not overly diligent MOTU's) perhaps also because of it's small market share. :mrgreen: