
About the “Security Issue” on VLC - tiri
https://twitter.com/videolan/status/1153963312981389312
======
LeonM
So none of the tech news websites contacted VideoLAN and published their
articles without checking their source.

I believe this sums up the problem with online news: being first matters most
to news sites. It drives traffic. Accurate reporting comes second.

I feel bad for VideoLAN, according to them the bug was in a 3rd party lib and
was fixed 16 months ago.

~~~
jbk
> So none of the tech news websites contacted VideoLAN and published their
> articles without checking their source.

Actually, one did: numerama. That's all.

> I feel bad for VideoLAN, according to them the bug was in a 3rd party lib
> and was fixed 16 months ago.

My night and morning have been difficult, as you can imagine...

~~~
JosephRedfern
I'm sorry that you're having a bad couple of days thanks to shitty journalism.

Thank you for your efforts in developing VLC, it is a great tool.

------
p49k
Gizmodo posts the headline on their front page, "You Might Want to Uninstall
VLC. Immediately"

Following the debunking of the story, what does Gizmodo do? Leave it on the
front page and change the headline to "You Might Want to Uninstall VLC.
Immediately [Updated]"

~~~
GunniH
They actually did.

>You Might Want to Uninstall VLC. Immediately. [Updated: Maybe Not]

Is the current title...

~~~
NikolaeVarius
Its amazing how a title can have two entirely contradictory, non committal
claims telling you to do a thing, and yet tell me absolutely nothing useful.

~~~
madez
Will you still read Gizmodo or consider it a trustable source?

~~~
NikolaeVarius
I read gizmodo every once in a while for mild entertainment. I have never
considered it, or anything related to Kinja, to be trustworthy in any shape or
form.

------
paddlepop
MITREs response to this is a perfect example of the old-school security team
mindset. If I had a nickel for every security team I've worked with that a)
treat reporting as gospel and don't validate it, and b) don't talk to the
developer. From my experience the key issue is they don't understand the issue
enough to engage in a meaningful discussion with the developer

~~~
jbk
But the biggest issue is that they refuse that we become the CNA for VLC bugs.

So, they are the root CNA for VLC bugs, and they don't triage them correctly.
And don't update the issues when we mention them.

~~~
nbabitskiy
Why can't you be an authority of your CVEs without consulting an American gov
agency? I'm sure, VLC org is way more trustworthy for nine out of ten people
on the Earth.

~~~
jbk
Because everyone uses CVE. And then, it gets in the press...

------
hs86
libebml is in the Ubuntu universe repository which means that it is not
supported by Canonical. And in the Debian changelog for this package I don't
see any mentions of a security issue that was fixed 16 months ago:
[https://metadata.ftp-
master.debian.org/changelogs//main/libe...](https://metadata.ftp-
master.debian.org/changelogs//main/libe/libebml/libebml_1.3.9-2_changelog)

I am loosing more and more confidence that these "package the world and freeze
everything in place" distros are the right choice for end users.

~~~
thegeomaster
> I am loosing more and more confidence that these "package the world and
> freeze everything in place" distros are the right choice for end users.

I'm there with you. I use a rolling distro (Arch) and I update all packages to
the latest versions whenever I'm bored. I do this because I can't remember the
last time something broke this way. I've been doing that for ~6 years on 3
different machines. On the other hand, a lot of my friends use Ubuntu as their
main OS and they constantly have mysterious issues with software, trouble
installing stuff (a ton of things require binary-only vendor-run PPAs which
then often have out-of-date versions), etc.

So I'm wondering, at least for desktop use-cases, what exactly is gained
there? I would've thought that freezing all packages and issuing a release
would allow a much more rigorous QA process and make the system rock solid.
But somehow a huge company (Canonical) cannot make a system that is as stable
as orders of magnitude less popular, volunteer-run _rolling_ distribution.

Something just doesn't add up to me there. It could be a bias of my sample, or
Canonical just not caring much about the desktop experience anymore. (I run a
lot of machines on Ubuntu LTS and for the server-side it's pretty good.)

~~~
effie
Canonical probably does care less than in their desktop golden years, now they
are perhaps focusing on the server os market (cloud).

The distribution model has the advantage of single click install. Great for
basic users, but you run outdated software, sometimes with well known security
holes. For power users who can take some work in maintaining their system, it
seems to me that your way - keeping up with the latest version of all software
- gives you better security.

~~~
mort96
What do you mean? Arch works the same way as Ubuntu; there's a package
manager, you use it to install software from the system repositories. `apt-get
install vlc` is no easier or more user friendly than `pacman -S vlc`. I
imagine gnome-software even works it does in Ubuntu, though I haven't tried
using it.

The only difference is that Arch updates their repos' packages as soon as a
new version is available upstream (after some testing of course), while Ubuntu
doesn't.

~~~
effie
I meant the LTS model such as Ubuntu 18.04 gives you old version software with
the possibility of worse functionality and more security holes. Arch may be
more up-to-date than Ubuntu, but it isn't in the same category; it is not LTS,
and it is not as widespread.

~~~
mort96
I was mostly responding to the part about how "The distribution model has the
advantage of single click install". What's the difference in how "single
click" installation can be between rolling and LTS?

~~~
effie
The point is classic distributions which support their product for a long time
(Debian, Ubuntu,RHEL,Centos) are easier to use for basic users you can meet on
street. With Arch or Gentoo, you are right that there is a package manager
which makes installation of software easier, but the system is not easy to use
for BFUs. When problems with installation/upgrades arise (which is more likely
for Arch/Gentoo), you are expected to spend some time becoming proficient
GNU/Linux user who resolves things in command line.

~~~
Dylan16807
Citation needed on the number of problems, assuming the classic system is
actually being updated from release to release so it can continue to receive
critical updates.

------
codewithcheese
> The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and
> clearly has not all the updated libraries.

It's not a "old" version of Ubuntu its the latest LTS.

~~~
M2Ys4U
LTS == old.

That's the point of LTS.

~~~
remedan
The point of LTS is that it's old but still receiving security fixes.

------
Aissen
It's funny jbk did a talk at Pass the Salt this year entirely prophesying this
type of event (it's not the first time this happens…):

[https://passthesalt.ubicast.tv/videos/vlc-and-
security/](https://passthesalt.ubicast.tv/videos/vlc-and-security/)

I took live notes (not nearly as colorful as the talk) here:
[https://anisse.astier.eu/pass-the-
salt-2019-2.html](https://anisse.astier.eu/pass-the-salt-2019-2.html)

------
carlob
Completely OT: does anyone else find this style of posting stuff on a very
long twitter thread hard to read, and somewhat worrying in terms of dependency
on a proprietary platform? Why can't this be upfront on the videolan.org
homepage and just linked from a single tweet?

~~~
lysp
Change the twitter domain:

[https://twitter.com/videolan/status/1153963312981389312](https://twitter.com/videolan/status/1153963312981389312)

to:

[https://threadreaderapp.com/videolan/status/1153963312981389...](https://threadreaderapp.com/videolan/status/1153963312981389312)

~~~
carlob
I know about that, I was more interested in the political point of being
beholden to a proprietary platform. I think that is especially important for
one of the most widely installed open source apps (on non-geeks computers).

------
tptacek
Just to clarify things: CVSS scores are almost completely meaningless and
nobody should take them seriously. They're a Ouija Board that can be made to
say anything.

------
throwaway_391
Slightly offtopic, but are vulns related to overflows no longer pocced
publicly or are there mitigating factors which make exploitation impossible
(eg K/ASLR etc)?

The specific CVE listings I'm referring to are:
[https://www.cvedetails.com/vulnerability-
list/vendor_id-5842...](https://www.cvedetails.com/vulnerability-
list/vendor_id-5842/product_id-9978/Videolan-Vlc-Media-Player.html)
[https://www.cvedetails.com/vulnerability-
list/vendor_id-26/p...](https://www.cvedetails.com/vulnerability-
list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html)

~~~
wepple
Building a PoC to prove you can get reliable code execution is typically 10x
harder than finding an issue and patching it.

The modern approach is to assume that most types of memory corruption _could_
be exploitable, and just patch.

Especially given that an inability for one person to reliably PoC does not
mean it’s not exploitable; as soon as you say it’s not exploitable, Mark Dowd
shows up and exploits the bug.

------
jokowueu
>Yes, so your issue is your distribution is not up-to-date, not VLC.

I've always found it odd that many of the packages on certain linux
distributions were old . Like how one time the latest openvpn version on the
latest Ubuntu release was a year old.

~~~
plopz
Debian 8 is still on php 5.6 which is EOL, even if you upgrade to debian 9 you
would be on php 7.0 which is also EOL.

~~~
apocalyptic0n3
Debian 10 is running 7.3, thankfully. But their LTS runs for 5 years and 7.3
will be EOL about 7 months before Buster and active support dropped about 17
months before. And PHP 7.4 is due out in November/December. So Buster will be
outdated with its PHP release 6 months after release.

------
glandium
Except if I missed something in my quick research, there doesn't seem to have
been a CVE for libebml when it was fixed 16 months ago. So it's really not
surprising that LTS distros don't have the fix...

~~~
middleload
LTS depends on CVEs. And we see here that the CVE database is not entirely
trust worthy. The chain is a bit broken.

~~~
madez
But the press and slow moving organizations love it.

------
seapunk
Compiled here:
[https://threader.app/thread/1153963312981389312](https://threader.app/thread/1153963312981389312)

------
yrro
What's the CVE for the actual security issue in libebml?

... I guess there isn't one. According to VLC upstream it was fixed in libevml
1.3.6.

[https://trac.videolan.org/vlc/ticket/22474#comment:21](https://trac.videolan.org/vlc/ticket/22474#comment:21)

------
trilila
gizmodo.com.au still shows "You Might Want To Uninstall VLC. Right Now.
Immediately." in their title. This highlights the untrustworthiness of most
"news" today, be it software, politics or business related. It's unbelievable
how poorly researched articles can damage people and businesses alike. I think
is this is one of the biggest pain points of today's world, and it needs
solving fast.

------
lsferreira42
It's on the front page of the most acessed tech blogs in Brazil too, this is a
shame!

------
xs83
I'm sorry but this is a shitty response from VLC:

>The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and
clearly has not all the updated libraries.

18.04 is an LTS version, many people (myself included) will be using this
until 20.04 comes out next year! It is not old - it gets regular updates for
both security and features - clearly the library for whatever reason is
excluded.

~~~
bscphil
They aren't blaming you for using the LTS version, and they aren't blaming
Ubuntu for having an LTS version. The blame is (implicitly) on Ubuntu for not
making sure the libraries their LTS version ships are up to date with the
latest security patches. VLC itself isn't vulnerable - the problem is that
some distributions are compiling it themselves with old libraries, which is
100% their own fault.

------
sleepysysadmin
Delete

~~~
stronglikedan
> _Is the fix lawyers suing them all for libel /slander?_

IMHO, it's definitely time for this to be allowed.

------
reneberlin
The users booting up Windose to use VLC have a much bigger problem in terms of
vulerability than this reportedly false claim on the VLC-app.

But - they don't know. And the newspapers will not report it in a dramatic
post like this one.

------
onli
I don't like the exchange with TheRegister:

> TheRegister: _FWIW we reported the VLC developers were skeptical. Happy to
> update our coverage accordingly._

> _Tho, FWIW, the PoC .MP4 seg-faulted our 3.0.7 VLC installation._

> VideoLAN: _using a linux distribution? with an old libebml?_

> TheRegister: _Using Debian 9.9, using libebml4v5 1.3.4-1_

> VideoLAN: _Yes, so your issue is your distribution is not up-to-date, not
> VLC._

No, the issue is that a lib VLC uses is not up-to-date, and it just happens
that VLC be installed on a distribution, as is normal. It can't run on bare
metal. If I understand
[https://tracker.debian.org/pkg/libebml](https://tracker.debian.org/pkg/libebml)
correctly it is possible the issue here is that oldstable Debian did not
receive a (security?) update for libebml. But this still affects the users of
the program. It's still something that could be justified to notify users
about.

But I understand the frustration about not being contacted, and I understand
the project does not want to be seen as responsible for this if the fault lies
with Debian. And it's absolutely possible the CVE on VLC are wrong, I remember
being surprised a few times about their strange severity. But still. I don't
like this blame shifting. If users do not run a unsupported distribution it is
not completely unreasonable to assume his falls into the security sphere of
the main project, VLC.

~~~
kalleboo
Is it now the responsibility of every piece of software to check the versions
of every library they're linked to for security patches? Shouldn't that be the
responsibility of the distribution?

edit: is there even a common method for the developer of a library like
libebml to flag an update as a security fix to increase the priority of it, or
is that up to the package maintainers of each individual distribution to
determine? edit2: Or is that common method "file a CVE"?

~~~
onli
My point is a different one: If a user or a journalist installs the current
version of the software and he runs a current distro it is not a surprise that
he assumes a (security) flaw that manifests when using that program is caused
by the program. The main project does not necessarily have to fix it
themselves, but ideally would notify the distro (and that would make for a
good response).

~~~
kalleboo
Your post said "notify users about", which is where my comment came from.

Notifying distros is something they could do, but how many/which distros do
they have to notify? It seems like it could be a massive job in itself. Hence
my edit :p

~~~
onli
Yes, you are definitely correct there. A project can't handle this well all
the time. It's too huge a task and too decentralized a system.

------
fulafel
I think the VLC developers come off as pretty defensive in this. They flame
the reporter for opening the issue on the issue tracker, but on the issue the
reporter says that he got no response from the VLC security contact which he
tried first. Then, they dismiss the vulnerability and flame the CVE assigners,
because VLC themselves are shipping a distribution with the vuln fixed, even
though many Linux distributions and presumably other distributors of VLC
remain vunerable - a situation clearly requireing vulnerability coordination
and a CVE assignment.

~~~
jbk
Absolutely not:

\- the reporter never contacted us, we have a clear process and a bounty
program. We checked again, he never did.

\- we receive and process all security issues privately: we fixed 31 of them
in the last update. And miracly, the other reporters managed to contact us.

\- Linux is the smallest OS for VLC.

\- An issue on one or two Linux distribution for a OOB-read crash is very very
different from "VLC vulnerable on all machines, uninstall now!"

\- The CVE number of 9.8 makes no sense. How do you even exploit this crash?

\- VLC has DEP and ASLR activated everywhere. How do you execute code with
this read issue?

~~~
pgeorgi
Since this is tarnishing your brand, maybe ask Ubuntu to cease shipping "VLC"
if they do such a half-assed job (enough effort to replace integrated
libraries with system packages, not enough effort to maintain those packages)?

~~~
tgragnato
> maybe ask Ubuntu to cease shipping "VLC"

I want applications to be packaged by my distribution. Updates are up to
maintainers (dependencies included), as it has always been.

If MITRE wants to assign a CVE, warning people that they need an updated lib,
that's fine. The issue is the trustworthy and handling of CVEs (... plus
reporters).

~~~
jakear
My impression is that VLC did issue an update to use a more recent version of
libebml, but Ubuntu/Debian maintainers patched it to use universe’s outdated
version (which they don’t even maintain!)

~~~
tgragnato
Yes! A glaring example of dependency hell (in Debian words "incompatible
library changes with reverse dependencies").

Patching for an older version of libebml is not an issue if that library is
not vulnerable (that's why folks use LTS and stable). Want maintainers to know
there's a vulnerability? Publish a CVE _for libebml_.

