
Security Bulletin VLC 3.0.11 - doener
https://www.videolan.org/security/sb-vlc3011.html
======
an_opabinia
Media decoders are the biggest, richest, unexploited, practical and valuable
target for developing end user malware and government surveillance. If I
wanted to surveil a dissident using Tor for example I would deliver the
payload in a protest video they download or whatever.

People open video and images files all the time. The amount of breath I see
burned here on obscure or niche security concerns is ridiculous. The
implementations aren’t buggy, they are just written by like one person, the
sole maintainer you cannot under any circumstances discourage from doing this
work, with a criticism-proof godlike level of knowledge, in vast amounts of
uncommented code that makes huge numbers of unenforceable assumptions in the
pursuit of better performance, targeting vast hardware with closed source
binary blobs also seeking performance, on every popular platform. It’s a
minefield.

~~~
g_airborne
Can’t agree more. Every codec implementation or video-related software package
is just a giant pile of pointer-heavy C/C++ code. It’s not a bad thing because
it’s fast and practically still the only way to do it. But looking at
cosebases like VLC and especially ffmpeg makes me a little nervous. How many
bugs like this are hidden in these libraries that we don’t know about?

~~~
thephyber
IIRC, there was a project within the VLC team to port a codec to rust (it was
shown off at a con talk IIRC). I'm curious what happened to that project.

Also, it looks like the VLC Summer of Code ("SoC") 2020[1] mentions a
potential project for fuzzing.

[1] [https://wiki.videolan.org/SoC_2020/](https://wiki.videolan.org/SoC_2020/)

~~~
mappu
Kostya (long time ffmpeg contributor from e.g. RV40 reverse engineering) moved
on to writing a greenfield ffmpeg alternative purely in Rust, with all new
codecs, named NihAV.

Follow the blog:
[https://codecs.multimedia.cx/](https://codecs.multimedia.cx/) but there's no
source code release yet AFAIK.

~~~
lsofzz
> Follow the blog:
> [https://codecs.multimedia.cx/](https://codecs.multimedia.cx/) but there's
> no source code release yet AFAIK.

Nice; though the documentation/blog is quite hard to follow :)

------
jbk
Currently, this code is only reachable in the case of a hardware decoder, on
macOS, using VideoToolbox library, when it needs annexB conversion.

But as there are other issues on other dependencies, we preferred to bump it
everywhere.

------
Aachen
Clarifications that are not clear from the title:

\- 3.0.11 is the fixed version, the bulletin isn't about a vuln in that
version.

\- It only affects iOS/macOS

------
michaelmrose
Maybe this is an opportunity to try another open source video player. Smplayer
also works on windows mac and linux.

\- Preferences menu isn't broken into normal and space shuttle control panel.

\- Playlist works in fullscreen mode which isn't the case with VLC.

\- Saves place in videos by default, mpv the simpler interface is actually
smarter and remembers the position in a group of files if you pass it the same
files. I think VLC can do this but its somewhere in the space shuttle
preferences interface.

\- Adding a folder doesn't add non video files to a playlist

\- Audio syncing doesn't appear to be an issue over the network

\- It understands any network stream that youtube-dl supports which seems to
be much better than vlc

~~~
akiselev
As far as I know, SMplayer is based off of mplayer which uses ffmpeg under the
hood, just like VLC. The most serious vulnerabilities would be present on both
(although I think this exploit is VLC specific).

~~~
michaelmrose
Smplayer can use mplayer or mpv which in turn can use ffmpeg or in theory its
fork libav. There is a big intersection under the hood and indeed there is a
possibility for a defect to effect both VLC although this issue is vlc and mac
specific.

I don't think Smplayer is more secure I just think its a better tool than VLC.

------
jokoon
I am always suspecting porn sites to be a huge honeypot for any sort of
malware. I am still betting most browsers still have their share of 0-days.

------
kulshan
3.0.10 was such a buggy release for mac0S. Astonished they let something so
awful out and that it took months to release a fix.

~~~
jbk
Sorry about that.

~~~
drenvuk
Thanks for releasing a fix. Not trying to butter your butt but I really enjoy
VLC.

