New Vulnerabilities in VLC
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
New Vulnerabilities in VLC
Make Tech Easier has a recent article about vulnerabilities in VLC. It says that the safe versions are 3.0.7 and above.
https://www.maketecheasier.com/hackers- ... abilities/
Does anyone know if this is a problem in Linux versions of VLC? If so, should I install a version outside of the repositories?
https://www.maketecheasier.com/hackers- ... abilities/
Does anyone know if this is a problem in Linux versions of VLC? If so, should I install a version outside of the repositories?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
- Pjotr
- Level 23
- Posts: 19879
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: New Vulnerabilities in VLC
Don't put too much value on the upstream version number. Often, the Ubuntu/Mint devs prefer cherry-picking security fixes and backporting them into an older version.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: New Vulnerabilities in VLC
Yes. The vulnerability was even discovered on Linux.
Depends on your usage. If you do not download files from untrusted sources or at least not in Matroska format then the vulnerability won't affect you. Otherwise yes, probably, or use another player while you wait for vlc to get fixed in Ubuntu and thus Mint. Here's the status:
https://people.canonical.com/~ubuntu-se ... 12874.html
Anti-virus products can also detect malformed Matroska files but I cannot recommend one here for lack of experience with them.
Re: New Vulnerabilities in VLC
Thank you both for your replies.
Re: New Vulnerabilities in VLC
Quted from Videolan.org:
My question is HOW to disable VLC browser plugins? Because that is mentioned on Videolan.org as an alternative protection.Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.
VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file
Re: New Vulnerabilities in VLC
How are we to know who is trustworthy?refrain from opening files from untrusted third parties
Everything in life was difficult before it became easy.
Re: New Vulnerabilities in VLC
good question, Carum Carvi. And do we need to disable all of the plugins or just one plugin?
- Pjotr
- Level 23
- Posts: 19879
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: New Vulnerabilities in VLC
Some notes:
- By default, you don't have a VLC browser plugin in Firefox. You can check that easily in your web browser. So by default, no worries about Firefox plugins.
- The need for extra carefulness apparently only arises when handling Matroska files (.mkv, .mk3d, .mka, .mks). Not for other file types, at least probably not in Linux. If you have a Matroska file on your hard disk, you can right-click it and (for the time being) change the default association for it (and for the likes of it) into another media player.
- As an extra precaution it might help to run VLC, for the time being, in the Firejail sandbox.
- Don't panic. The Ubuntu devs are working on it....
- By default, you don't have a VLC browser plugin in Firefox. You can check that easily in your web browser. So by default, no worries about Firefox plugins.
- The need for extra carefulness apparently only arises when handling Matroska files (.mkv, .mk3d, .mka, .mks). Not for other file types, at least probably not in Linux. If you have a Matroska file on your hard disk, you can right-click it and (for the time being) change the default association for it (and for the likes of it) into another media player.
- As an extra precaution it might help to run VLC, for the time being, in the Firejail sandbox.
- Don't panic. The Ubuntu devs are working on it....
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: New Vulnerabilities in VLC
Careful with such promises. VLC is in the universe repo, meaning it is not supported by Ubuntu, only by the volunteer community maintainers - who may or may not want to try to SRU this to v3.0.7. Debian has already updated though so I'd hope somebody will copy it over.
- Pjotr
- Level 23
- Posts: 19879
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: New Vulnerabilities in VLC
True. But in the past, the Masters of the Universe (MOTU's) have usually been swift with security fixes for critical high-profile software like VLC....
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: New Vulnerabilities in VLC
Thanks for the useful information!
- smurphos
- Level 18
- Posts: 8501
- Joined: Fri Sep 05, 2014 12:18 am
- Location: Irish Brit in Portugal
- Contact:
Re: New Vulnerabilities in VLC
Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.
Upstream Debian released 3.0.7 on 9th June in Stretch & 7th June in Buster. There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version.
In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) - https://people.canonical.com/~ubuntu-se ... 19857.html.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Re: New Vulnerabilities in VLC
There's no pending SRU for vlc even for the old CVE. As I always say, for practical purposes you have to consider the universe repo as unsupported, most software in there never receives a bug fix after a new Ubuntu version has been released.
Re: New Vulnerabilities in VLC
Wow. That's a wake up call for me. I never considered software from the universe repo to be a security risk. But I will choose such third party software more carefully from now on. I think I will not choose the option to install third party software anymore during a new install of Linux Mint.smurphos wrote: ⤴Fri Jul 05, 2019 1:15 am Both VideoLan and Ubuntu are heavily pushing the VLC Snap these days as the preferred way to install in Ubuntu. It's packaged directly by VideoLan.
There doesn't seem to be much urgency from Ubuntu to follow suit for the regular repo version. In fact Bionic's 3.0.4 has another un-patched 6 month old CVE (fixed in Debian in January) -
Will there be an updated flatpak version of Vlc available in LinuxMint in the foreseeable future that we can download? I just found out that I can use snap packages as well in LinuxMInt if I first install snapd from within the software manager. An informative link about how to install snap packages in LinuxMint is found below, because I really cant live without Vlc. I am a diehard Vlc user...happily so...
https://www.reallinuxuser.com/how-to-us ... inux-mint/
- smurphos
- Level 18
- Posts: 8501
- Joined: Fri Sep 05, 2014 12:18 am
- Location: Irish Brit in Portugal
- Contact:
Re: New Vulnerabilities in VLC
The flatpak is at version 3.0.7.1 so is the latest stable release
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Re: New Vulnerabilities in VLC
...while you can all be certain that xplayer, pix & xed get fuzzed daily from independent researchers...
Re: New Vulnerabilities in VLC
Thanks for that tip Smurphos!
Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?
Independent research for critical security risks is ofcourse NOT the case with all the standard software in LinuxMint. But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...
Last edited by carum carvi on Sun Jul 07, 2019 5:22 am, edited 1 time in total.
Re: New Vulnerabilities in VLC
https://en.wikipedia.org/wiki/Fuzzingcarum carvi wrote: ⤴Sat Jul 06, 2019 3:31 am Thx-1138, I think I understand your (cheeky) argument. Had to google what "fuzzed" meant though. I couldnt find the exact definition, but I guess it means to comb out, to search trhough something thoroughly...?
Are we though? I'm not using any of the software he listed (but not for security reasons). The more relevant argument is probably that those apps use common libraries and file format related vulnerabilities in those would impact a much larger user/application base, so you can hope they would be discovered.carum carvi wrote: ⤴Sat Jul 06, 2019 3:31 am But since you guys, as experienced forum users, are all using standard LinuxMint software as well I think the safety of using the standard LinuxMint software is as good as it will ever get...
- Pjotr
- Level 23
- Posts: 19879
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: New Vulnerabilities in VLC
Well, I am.carum carvi wrote: ⤴Sat Jul 06, 2019 3:31 am Since you guys, as experienced forum users, are all using standard LinuxMint software
My take: in real life, Ubuntu/Mint is pretty secure. For various reasons. In certain cases (not overly diligent MOTU's) perhaps also because of it's small market share.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.