'Vulnerable for VLC media players' is a false alarm, the originator VideoLAN makes a statement
VLC media player to develop the VideoLAN is, for reports that there is a critical vulnerability in VLC media player, on Twitter 'vulnerability is already corrected, coverage is a mistake,' announced the statement that.
About the 'security issue' on #VLC : VLC is not vulnerable.
— VideoLAN (@videolan) July 24, 2019
rl; dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @ MIT RE corp did not even check their claim.
Thread:
CERT-Bund , an emergency response team from the Federal Electronic Information Security Agency (BSI) in Germany, may execute arbitrary code execution and file manipulation remotely on a free software VLC media player on July 19, 2019. It is announced that a possible vulnerability has been discovered. ' Vulnerabilities have been registered with Miter 's Vulnerability Information Database (CVE) and the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST) and have been rated as critical issues.
Unusual Media Player 'VLC' finds vulnerability to enable PC hijacking-GIGAZINE
However, according to VideoLAN's official Twitter account, although the reported vulnerability actually exists, it is due to a third party library ' libeml ' and has been fixed more than 16 months ago. Also, the VLC media player has been modified from version 3.0.3. Therefore, it is reported that the latest version, version 3.0.7.1, could not confirm the vulnerability and could not reproduce the Video LAN.
VideoLAN pointed out that the vulnerability was supposed to be fixed, 'The reporter is using an older version of Ubuntu 18.04 and the library update is incomplete.' Although VideoLAN threw an inquiry email to CERT-Bund, there was no reply.
The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and clearly has not all the updated libraries.
— VideoLAN (@videolan) July 24, 2019
But did not answer to our questions.
Even though it has been fixed, the vulnerability has been reported to CVE and NVD and has been registered. According to VideoLAN, there has been a number of cases where the vulnerability of VLC media player has been registered in CVE without being contacted by Mitre, and VideoLAN has caused mistrust of Mitre. VideoLAN also criticizes Gizmode , an overseas media that urged them to ' uninstall immediately '.
For whatever reason, unknown to us, @ MIT REcorp decided to issue a CVE, without talking to us.
— VideoLAN (@videolan) July 24, 2019
This is in direct violation of their own policies, https://t.co/yyDhK6Ls3u pic.twitter.com/8AZWpimNBC
Related Posts:
in Software, Posted by log1i_yk