# vlc: serious security issue



## PMc (Jul 23, 2019)

Today all over the newspapers is a report that some really serious security flaw was found in vlc, and one should stop using it for now.

I tried to investigate, but didn't get much of a clue what the problem actually is. From what I could figure from the reports, there seems to be a buffer overflow, so that a specially crafted video clip could run arbitrary code on the machine. Or at least thats what I understood.

Anybody having more substantial info?


----------



## SirDice (Jul 23, 2019)

Took me two minutes to check their website: https://www.videolan.org/security/sa1901.html


----------



## PMc (Jul 23, 2019)

SirDice said:


> Took me two minutes to check their website: https://www.videolan.org/security/sa1901.html



Yeah, but that's the wrong one!

That one states it is solved in 3.0.7.  The current media reports say 3.0.7.1 is the compromised version, and there is no fix:








						VLC player has 'critical' security flaw
					

Researchers warn on significant vulnerability in popular media player




					www.techradar.com
				








						NVD - CVE-2019-13615
					






					nvd.nist.gov


----------



## SirDice (Jul 23, 2019)

The previous SA actually sounds more like what you described. For some reason that new bug description doesn't appear to be all that dangerous.

But I wouldn't be surprised if it was mentioned in mainstream media and they managed to get their facts mixed up.


----------



## SirDice (Jul 23, 2019)

Interesting remark on the Videolan ticket: https://trac.videolan.org/vlc/ticket/22474



> If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.


----------



## PMc (Jul 23, 2019)

SirDice said:


> The previous SA actually sounds more like what you described. For some reason that new bug description doesn't appear to be all that dangerous.
> 
> But I wouldn't be surprised if it was mentioned in mainstream media and they managed to get their facts mixed up.



That's why I posted the thread. The whole thing is somehow strange, might be a regression, or whatever, and doesn't get fully clear.



SirDice said:


> Interesting remark on the Videolan ticket: https://trac.videolan.org/vlc/ticket/22474



Okay, now it gets grotesque.  The "fake news source" appears to be the "CERT-Bund", and the actual fake news on techradar.com is to call that a "firm" - because in fact it's the German government (who seems to be the fake news distributor):


			Kurzinfo CB-K19/0634
		

And from there it apparently found its way to the media.


Meanwhile, the press reports continue to pop up:








						You Might Want to Uninstall VLC. Immediately. [Updated: Maybe Not]
					

Because of its free and open-source nature, VLC is one of, if not the most popular cross-platform media player in the world. Unfortunately, a newfound and potentially very serious security flaw discovered in VLC means you might want to uninstall it until the folks at the VideoLAN Project can...




					gizmodo.com


----------



## SirDice (Jul 23, 2019)

For the previous slew of bugs it would indeed be proper to suggest to uninstall it, some are really nasty. But those have all been patched as far as I know. This new thing can't even be confirmed by the VLC developers.


----------



## PMc (Jul 23, 2019)

SirDice said:


> For the previous slew of bugs it would indeed be proper to suggest to uninstall it, some are really nasty. But those have all been patched as far as I know. This new thing can't even be confirmed by the VLC developers.



Yes, I remember installing that update somewhere during June.
And today I found German media headlines full of the matter, mentioning 3.0.7.1 as the problem. And now America seems to tune in.
So lets get some popcorn and watch the show...


----------

