Language Selection

English French German Italian Portuguese Spanish

VLC FUD Galore (Misclassification of Bug and Threat)

Filed under
Movies
OSS
Security

Mystery solved: VLC is safe, culprit an old 'plugin' (external)

  • 'Critical' vulnerability discovered in VLC on Linux and Windows -- but VideoLAN says it is not reproducible

    Reports have emerged of a security bug in the Windows and Linux versions of VLC, making it vulnerable to remote-code execution via malicious videos.

  • Confusion about a recently disclosed vulnerability in VLC Media Player

    Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End

    Gizmodo's Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.

  • VLC Player hit by buffer overflow vulnerability in third-party library

    First released in February 2001 and developed under the Lesser GPL V2.1+ licence, VideoLAN Player - most commonly referred to as VLC - is one of the most popular cross-platform media playback and streaming utilities around. Sadly, that very popularity makes it a ripe target for ne'er-do-wells - making a serious flaw discovered in the latest release all the more critical.

    According to the bug's entry on the Common Vulnerabilities and Exposures (CVE) project, the flaw allows malicious or otherwise badly-written code to over-read past the end of a heap-based buffer in the software's MKV demuxing function. The US National Vulnerability Database, meanwhile, rates it as a CVSS 3.0 severity of 9.8 - giving it a top Critical mark, given that it can be used to crash the system, read private data, or even access private files.

Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability

  • Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability

    A recent security alert caused a panic where people thought the VLC Media Player was affected by a critical vulnerability that had no patch. The problem is that the vulnerability was not in VLC, but rather a module that was replaced over 16 months ago.

    According to a series of tweets posted by VLC developer Jean-Baptiste Kempf, it all started when Mitre created a CVE for a reported bug in VLC Media Player without first contacting VideoLan.

VLC Developer Debunks Reports

  • VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player

    Widespread reports of a "critical security issue" that supposedly impacted users of VLC media player have been debunked as "completely bogus" by developers. Earlier this week, German computer emergency response team CERT-Bund -- part of the Federal Office for Information Security (BSI) -- pushed out an advisory warning network administrators and other users of a high-impact vulnerability in VLC. It seems that this advisory can be traced back to a ticket that was opened on VLC owner VideoLAN's public bug tracker more than four weeks ago. The alleged heap-based buffer overflow flaw was disclosed by a user named "topsec(zhangwy)," who stated that a malicious .mp4 file could be leveraged by an attacker to take control of VLC media player users' devices. The issue was flagged as high-risk on the CERT-Bund site, and the vulnerability was assigned a CVE entry (CVE-2019-13615).

  • VLC developer debunks reports of ‘critical security issue’ in open source media player

    In fact, the earliest version of VLC that is potentially vulnerable to this exploit is 3.0.2, which was superseded in April 2018, leading to suspicions that the bug reporter was working on a computer running an outdated version of Ubuntu.

    ?If you report a security issue, at least update your Linux distribution,? Kempf said.

    Moreover, says Kempf, it would be very difficult to develop a reliable exploit that worked on older systems, and out of the question to develop a hack against an up-to-date version of the software.

    ?The issue was there two years ago, but it?s absolutely not possible to take control [of someone?s device now],? he said.

    ?You need to send a file. The person needs to open it on a vulnerable version of VLC and then you need to disable the security of your machine [in particular, address space layout randomization] to exploit the heap buffer overflow.

    ?That was patched more than a year ago, in April 2018.?

VLC media player affected by a major vulnerability

  • VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help

    A few days ago, a German security agency CERT-Bund revealed it had found a Remote Code Execution (RCE) flaw in the popular open-source, VLC Media Player allowing hackers to install, modify, or run any software on a victim’s device without their authority and could also be used to disclose files on the host system.

    The vulnerability (listed as CVE-2019-13615) was first announced by WinFuture and received a vulnerability score of 9.8 making it a “critical” problem.

    According to a release by CERT-Bund, “A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”

''Critical' vulnerability in VLC Media Player downgraded

  • 'Critical' vulnerability in VLC Media Player downgraded after VideoLAN claims the flaw was fixed 16 months ago

    A ‘critical' security flaw in VLC Media Player has been downgraded after the organisation behind the popular app claimed that the issue had already been fixed.

    The NIST National Vulnerability Database has slashed its rating for CVE-2019-13615 from 9.8 to 5.5 and "is awaiting re-analysis which may result in further changes to the information provided" after VideoLAN, the not-for-profit open-source organisation behind VLC Media Player, complained that the advisories and associated CVEs were wrong.

    Taking to Twitter, VideoLAN blamed a reporter for running VLC on an old version of Ubuntu with out-of-date libraries, and security firm MITRE for issuing a CVE before the reporter's claims could be examined by VideoLAN.

Still publishing FUD about VLC

  • Should you uninstall VLC or not? Here's what you must really do

    VLC, the popular multimedia player, was pushed into a controversy after a report submitted by WinFuture stated that the player had security issues. WinFuture in its reports classified the app to be a High Risk (Level 4), hence recommending users to uninstall it from the PCs.

    As per the report, WinFuture claims that the vulnerability would allow hackers to alter the codes and breach the user data in the PC. The security agency described the issue to be 'a remote' that would allow hackers to use the flaw to execute arbitrary codes, create a denial of service state, disclose user information or even manipulate PC files. The vulnerability can also allow the scavengers to install, modify or run software applications without administrative authorisations.

    The report has further stated that the PCs running Windows, Linux, and UNIX operating systems are most vulnerable to the flaw. The security agency cleared that there were no reported cases of data theft through the flaw but considering the potential of the flaw, the users have to be very careful.

VLC FUD continues even after it being totally debunked

  • Is VLC media player Vulnerable to hackers? [Ed: The answer is "no", so why are such FUD pieces still being composed?]

    VLC Media Player,has been detected with a critical vulnerability that allows hackers to hijack your computers and see your files.

"VLC representatives say the reports are fake news"

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.