Information broke out at the moment that the VLC Media Participant has a doubtlessly critical safety flaw. Numerous media shops have even requested their readers to avoid the media participant and outright adviced readers to uninstall it because the flaw can reportedly be used to launch distant code executions, corrupt information, steal information, and do much more harm. Nonetheless, there may be one other facet of the story being instructed by VLC builders, which hasn’t been reported as broadly but.
The safety flaw, CVE-2019-13615, was apparently found in model 126.96.36.199 of VLC by CVE and reported by CERT-Bund. The vulnerability at the moment has a NIST risk rating of 9.eight out of 10, which classifies it as a vital risk. As defined by CVE, the flaw requires you to play a malformed MKV file and in idea, if one downloads a malicious MKV file, the VLC bug might be used to execute code remotely and trigger harm starting from information theft to service disruption. The macOS model of the software program doesn’t appear to be affected and there have been no stories of the flaw being misused but.
Nonetheless, there’s extra to the story. VLC builders declare that the unique exploit report is wrong since they already fastened the flaw with model 3.0.Three of the app.
Lead VLC developer, Jean-Baptiste Kempf commented that the alleged bug isn’t as massive of a deal as everyone seems to be making it out to be. In a remark, he additionally wrote – “This doesn’t crash a traditional launch of VLC 188.8.131.52.” One other VLC developer, Francois Cartegnie, wrote, “When you land on this ticket by means of a information article claiming a vital flaw in VLC, I counsel you to learn the above remark first and rethink your (faux) information sources.”
VideoLAN additionally took to Twitter to speak concerning the matter, and wrote “a reporter, opened a bug on our bugtracker, which is exterior of the reporting coverage, aka, mail us in non-public on the safety alias.” They additional added, “the reporter is utilizing Ubuntu 18.04, which is an outdated model of Ubuntu, and clearly has not all of the up to date libraries.” You’ll be able to examine their official statements within the thread talked about under.
Concerning the “safety difficulty” on #VLC : VLC shouldn’t be susceptible.
tl;dr: the difficulty is in a third occasion library, known as libebml, which was fastened greater than 16 months in the past.
VLC since model 3.0.Three has the proper model shipped, and @MITREcorp didn’t even examine their declare.
— VideoLAN (@videolan) 24 July 2019