New Vulnerabilities in VLC

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
ejazzkatt
Level 4
Level 4
Posts: 208
Joined: Sat Nov 30, 2013 10:03 am

New Vulnerabilities in VLC

Post by ejazzkatt »

Make Tech Easier has a recent article about vulnerabilities in VLC. It says that the safe versions are 3.0.7 and above.

https://www.maketecheasier.com/hackers- ... abilities/
Does anyone know if this is a problem in Linux versions of VLC? If so, should I install a version outside of the repositories?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
Pjotr
Level 23
Level 23
Posts: 19879
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

Don't put too much value on the upstream version number. Often, the Ubuntu/Mint devs prefer cherry-picking security fixes and backporting them into an older version.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
gm10

Re: New Vulnerabilities in VLC

Post by gm10 »

ejazzkatt wrote: Wed Jul 03, 2019 2:25 pm Does anyone know if this is a problem in Linux versions of VLC?
Yes. The vulnerability was even discovered on Linux. ;)
ejazzkatt wrote: Wed Jul 03, 2019 2:25 pm If so, should I install a version outside of the repositories?
Depends on your usage. If you do not download files from untrusted sources or at least not in Matroska format then the vulnerability won't affect you. Otherwise yes, probably, or use another player while you wait for vlc to get fixed in Ubuntu and thus Mint. Here's the status:
https://people.canonical.com/~ubuntu-se ... 12874.html

Anti-virus products can also detect malformed Matroska files but I cannot recommend one here for lack of experience with them.
ejazzkatt
Level 4
Level 4
Posts: 208
Joined: Sat Nov 30, 2013 10:03 am

Re: New Vulnerabilities in VLC

Post by ejazzkatt »

Thank you both for your replies.
carum carvi

Re: New Vulnerabilities in VLC

Post by carum carvi »

Quted from Videolan.org:
Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.


VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file
My question is HOW to disable VLC browser plugins? Because that is mentioned on Videolan.org as an alternative protection.
User avatar
all41
Level 19
Level 19
Posts: 9498
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: New Vulnerabilities in VLC

Post by all41 »

refrain from opening files from untrusted third parties
How are we to know who is trustworthy?
Everything in life was difficult before it became easy.
ejazzkatt
Level 4
Level 4
Posts: 208
Joined: Sat Nov 30, 2013 10:03 am

Re: New Vulnerabilities in VLC

Post by ejazzkatt »

good question, Carum Carvi. And do we need to disable all of the plugins or just one plugin?
User avatar
Pjotr
Level 23
Level 23
Posts: 19879
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

Some notes:

- By default, you don't have a VLC browser plugin in Firefox. You can check that easily in your web browser. So by default, no worries about Firefox plugins.

- The need for extra carefulness apparently only arises when handling Matroska files (.mkv, .mk3d, .mka, .mks). Not for other file types, at least probably not in Linux. If you have a Matroska file on your hard disk, you can right-click it and (for the time being) change the default association for it (and for the likes of it) into another media player.

- As an extra precaution it might help to run VLC, for the time being, in the Firejail sandbox.

- Don't panic. The Ubuntu devs are working on it.... :mrgreen:
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
gm10

Re: New Vulnerabilities in VLC

Post by gm10 »

Pjotr wrote: Thu Jul 04, 2019 4:54 am The Ubuntu devs are working on it.... :mrgreen:
Careful with such promises. VLC is in the universe repo, meaning it is not supported by Ubuntu, only by the volunteer community maintainers - who may or may not want to try to SRU this to v3.0.7. Debian has already updated though so I'd hope somebody will copy it over.
User avatar
Pjotr
Level 23
Level 23
Posts: 19879
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

gm10 wrote: Thu Jul 04, 2019 5:58 am
Pjotr wrote: Thu Jul 04, 2019 4:54 am The Ubuntu devs are working on it.... :mrgreen:
Careful with such promises. VLC is in the universe repo, meaning it is not supported by Ubuntu, only by the volunteer community maintainers - who may or may not want to try to SRU this to v3.0.7.
True. But in the past, the Masters of the Universe (MOTU's) have usually been swift with security fixes for critical high-profile software like VLC....
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
ejazzkatt
Level 4
Level 4
Posts: 208
Joined: Sat Nov 30, 2013 10:03 am

Re: New Vulnerabilities in VLC

Post by ejazzkatt »

Thanks for the useful information!
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos »

Pjotr wrote: Thu Jul 04, 2019 6:01 am True. But in the past, the Masters of the Universe (MOTU's) have usually been swift with security fixes for critical high-profile software like VLC....
Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.

Upstream Debian released 3.0.7 on 9th June in Stretch & 7th June in Buster. There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version.

In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) - https://people.canonical.com/~ubuntu-se ... 19857.html.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
gm10

Re: New Vulnerabilities in VLC

Post by gm10 »

smurphos wrote: Fri Jul 05, 2019 1:15 am There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version.
There's no pending SRU for vlc even for the old CVE. As I always say, for practical purposes you have to consider the universe repo as unsupported, most software in there never receives a bug fix after a new Ubuntu version has been released.
carum carvi

Re: New Vulnerabilities in VLC

Post by carum carvi »

gm10 wrote: Fri Jul 05, 2019 4:33 am As I always say, for practical purposes you have to consider the universe repo as unsupported, most software in there never receives a bug fix after a new Ubuntu version has been released.
smurphos wrote: Fri Jul 05, 2019 1:15 am Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.

There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version. In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) -
Wow. That's a wake up call for me. I never considered software from the universe repo to be a security risk. But I will choose such third party software more carefully from now on. I think I will not choose the option to install third party software anymore during a new install of Linux Mint.

Will there be an updated flatpak version of Vlc available in LinuxMint in the foreseeable future that we can download? I just found out that I can use snap packages as well in LinuxMInt if I first install snapd from within the software manager. An informative link about how to install snap packages in LinuxMint is found below, because I really cant live without Vlc. I am a diehard Vlc user...happily so...

https://www.reallinuxuser.com/how-to-us ... inux-mint/
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: New Vulnerabilities in VLC

Post by smurphos »

The flatpak is at version 3.0.7.1 so is the latest stable release
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
thx-1138
Level 8
Level 8
Posts: 2092
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: New Vulnerabilities in VLC

Post by thx-1138 »

...while you can all be certain that xplayer, pix & xed get fuzzed daily from independent researchers... :mrgreen:
gm10

Re: New Vulnerabilities in VLC

Post by gm10 »

thx-1138 wrote: Fri Jul 05, 2019 9:57 am ...while you can all be certain that xplayer, pix & xed get fuzzed daily from independent researchers... :mrgreen:
At least. :lol:
carum carvi

Re: New Vulnerabilities in VLC

Post by carum carvi »

smurphos wrote: Fri Jul 05, 2019 8:32 am The flatpak is at version 3.0.7.1 so is the latest stable release
Thanks for that tip Smurphos!

Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?

Independent research for critical security risks is ofcourse NOT the case with all the standard software in LinuxMint. But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...
Last edited by carum carvi on Sun Jul 07, 2019 5:22 am, edited 1 time in total.
gm10

Re: New Vulnerabilities in VLC

Post by gm10 »

carum carvi wrote: Sat Jul 06, 2019 3:31 am Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?
https://en.wikipedia.org/wiki/Fuzzing
carum carvi wrote: Sat Jul 06, 2019 3:31 am But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...
Are we though? I'm not using any of the software he listed (but not for security reasons). The more relevant argument is probably that those apps use common libraries and file format related vulnerabilities in those would impact a much larger user/application base, so you can hope they would be discovered.
User avatar
Pjotr
Level 23
Level 23
Posts: 19879
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: New Vulnerabilities in VLC

Post by Pjotr »

carum carvi wrote: Sat Jul 06, 2019 3:31 am Since you guys, as experienced forum users, are all using standard LinuxMint software
Well, I am. :mrgreen:

My take: in real life, Ubuntu/Mint is pretty secure. For various reasons. In certain cases (not overly diligent MOTU's) perhaps also because of it's small market share. :mrgreen:
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Locked

Return to “Software & Applications”