Denial of VLC security flaws alleged by developers
A new security flaw was recently discovered in VLC Media Player, which could be used to launch service attacks and steal data.
It has been reported today that VLC Media Player has a potentially serious security flaw. Various media outlets have even told their readers to stay away from the media player and have directly advised readers to uninstall it as the error could be used to execute remote code, destroy files, steal data and do more damage. However, there is another side to the story told by the VLC developers, which has not yet been widely reported.
The security flaw, CVE-2019-13615, was apparently discovered by CVE in version 126.96.36.199 of VLC and was reported by CERT-Bund. The vulnerability currently has a 9.8 NIST threat score out of 10, which classifies it as a serious threat. As explained by CVE, the error requires you to run a malformed MKV file and theoretically, if someone downloads a malicious MKV file, the VLC bug could be used to remotely run the code and cause damage from data theft to service interruption. . The macOS version of the software does not appear to have been affected and no bug abuse has been reported so far.
However, there are more stories. VLC developers have claimed that the original exploit report was incorrect because they have already corrected the bug in version 3.0.3 of the app.
Lead VLC developer Jean-Baptiste Kempf commented that the alleged bug was not as big as everyone else was making it out to be. In a comment, he further wrote – “This does not crash a normal release of VLC 188.8.131.52.” Another VLC developer, Franোois Cartagney, wrote, “If you land on this ticket via a news article claiming a serious error at VLC, I suggest you read the comment above first and reconsider your (fake) news sources.”
Videolan also took to Twitter to discuss the matter and wrote, “A reporter has opened a bug in our bugtracker, which, outside the reporting policy, aka, mail us personally under the nickname Security.” They added, “Reporter is using Ubuntu 18.04, which is an older version of Ubuntu and obviously not all updated libraries.” You can check out their official statement in the thread below.
About “security issues” #VLC : VLC is not weak.
tl; dr: The problem is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
The correct version has been shipped from VLC version 3.0.3, and ITMITREcorp Did not even verify their claim.
– VideoLAN (ideovideolan) 24 July 2019