The VideoLAN Forums

Discussion and support for VLC media player and friends

Skip to content

Need clarification on critical security flaw in VLC mentioned in the news

Microsoft Windows specific usage questions
Forum rules
Please post only Windows specific questions in this forum category. If you don't know where to post, please read the different forums' rules. Thanks.
Post Reply
fidorulz
Blank Cone
Blank Cone
Posts: 64
Joined: 20 May 2015 15:14

Need clarification on critical security flaw in VLC mentioned in the news

Postby fidorulz » 24 Jul 2019 00:19

As reported here

https://gizmodo.com/you-might-want-to-uninstall-vlc-immediately-1836641101

https://winfuture.de/news,110171.html

https://www.cert-bund.de/advisoryshort/CB-K19-0634

There is mention of a critical security flaw

I checked

https://trac.videolan.org/vlc/ticket/22474

and saw the following comments

Changed 7 hours ago by Francois Cartegnie
If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.

the previous comment is

This does not crash a normal release of VLC 3.0.7.1

Can we get clarification on this since this comes from German security agency CERT-Bund

Thanks
Top
lbeck
New Cone
New Cone
Posts: 3
Joined: 19 May 2018 20:06
VLC version: 3..0.16
Operating System: Windows 10

Re: Need clarification on critical security flaw in VLC mentioned in the news

Postby lbeck » 24 Jul 2019 04:06

I question why any video player need remote code execution
Top
User avatar
InTheWings
Developer
Developer
Posts: 1275
Joined: 07 Aug 2013 13:15
VLC version: crashing
Operating System: Linux
Contact:
Contact InTheWings

Re: Need clarification on critical security flaw in VLC mentioned in the news

Postby InTheWings » 24 Jul 2019 12:32

As reported here

This does not crash a normal release of VLC 3.0.7.1

Can we get clarification on this since this comes from German security agency CERT-Bund

Thanks
You're free to read updates on the ticket which clearly explains the issue.
:!: If you want your problem to be solved :
* First read troubleshooting guide VSG:Main
* Always provide verbose LOGS ! (command line or from gui)
* Always check your issue against a developer build from Nightly Build of VLC
* Tell us when your problem is solved !
Top
unidan
Developer
Developer
Posts: 1499
Joined: 25 Mar 2018 01:00

Re: Need clarification on critical security flaw in VLC mentioned in the news

Postby unidan » 24 Jul 2019 12:39

I question why any video player need remote code execution
(Arbitratry) remote code execution is a flaw where someone is able to write and execute any code in a software through a network trigger. In this case, it would be triggering a write of code payload in an executable area of memory executed by VLC , through buffer write overflow and function pointer call. https://en.wikipedia.org/wiki/Arbitrary_code_execution
Media player like VLC doesn't need RCE, it's a bug when they exists.

Here, even with obsolete dependencies, there is no remote code execution exploit currently.
Top
Post Reply

Return to “VLC media player for Windows Troubleshooting”

Who is online

Users browsing this forum: No registered users and 55 guests

Powered by phpBB® Forum Software © phpBB Limited
GZIP: On