back to article Video nasty: Two big bugs in VLC media player's core library

A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others. The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post. "VLC Media Player …

  1. Anonymous Coward
    Unhappy

    FFS

    "VLC's developers, Videolan Software, were informed of the flaws on Boxing Day and had not issued fixes for the latest stable version, 2.1.5, by the time of disclosure 9 January"

    Curse those people having holidays!

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: FFS

      Is that some kind of beverage?

      1. This post has been deleted by its author

    2. Lee D Silver badge

      Re: FFS

      I find that a bit quick, for disclosure.

      To think that MS were whining about 90 days +!

      And the fix is in the developer version, according to the article.

      Sorry, but if you did that to a commercial project, they'd tear your arms off and beat you to death with the soggy end.

      But two weeks is barely adequate to test a fix.

      1. This post has been deleted by its author

  2. seven of five

    And why was it impossible to him to keep quiet until Version 2.2.0-rc2 went live?

    1. h4rm0ny

      >>"And why was it impossible to him to keep quiet until Version 2.2.0-rc2 went live?"

      I suspect because then they wouldn't get the "prestige" of having found two dangerous zero-day exploits. Probably saw it in the upcoming developer release, thought their chance of some press was going away, and announced it. Sad.

  3. Oh Bother

    Does he work

    for Google?

  4. Dan 55 Silver badge
    FAIL

    Responsible security research, he's heard of it

    So, he didn't try the latest VideoLAN build where he would have found that the bugs weren't there, he didn't report the bugs to the right people (FFmpeg for avcodec instead of VideoLAN), and then he let the world and dog know about it maybe because otherwise he wouldn't get the glory.

    1. foxyshadis

      Re: Responsible security research, he's heard of it

      If your application is vulnerable, then it's your problem, whether it stems from an underlying library or not.

      If this is the case, then LOTS of other ffmpeg-based players and converters are probably similarly vulnerable. I love ffmpeg, it can read and write practically anything for free, but this is one of the downsides of a monoculture.

      1. shaolin cookie

        Re: Responsible security research, he's heard of it

        When closing a bug report as not being caused by your application, you should file a bug to the library where the actual cause lies. Hopefully they have done this, but I for one couldn't spot these on the ffmpeg bug system. Could of course just be a more detailed description that sounds different.

        1. Dan 55 Silver badge

          Re: Responsible security research, he's heard of it

          VideoLAN probably didn't open a bug upstream because there was no need to, the bug was already fixed in the later version of libavcodec.

          1. Eddy Ito

            Re: Responsible security research, he's heard of it

            He does list the status of the bugs as "fixed" so perhaps he heard 2.2.0 wasn't vulnerable and felt it safe to disclose.

    2. Captain Scarlet Silver badge

      Re: Responsible security research, he's heard of it

      "So, he didn't try the latest VideoLAN build where he would have found that the bugs weren't there"

      Maybe he did and realised they had already fixed it, so decided to disclose it before the fix was released to get rich and internet famous.

  5. Jim 59

    Awaiting explitation

    Aren't we all, dearie.

  6. Unicornpiss
    Alert

    @monocolture

    "I love ffmpeg, it can read and write practically anything for free, but this is one of the downsides of a monoculture"

    ...as opposed to instead having either dozens of vulnerable codecs, or missing enough codecs that idiots will download anything that a quick web search reveals MIGHT play their content, infecting themselves with viruses, adware, and at the minimum, installing poorly-written software that probably uses the ffmpeg library anyway, or God forbid, Quicktime.

  7. Cronus
    Holmes

    Anyone else notice that his posts lists the system he was testing on as XP SP 3?

    1. Paul Johnston
      Pint

      Cheers!

      Not until you so kindly pointed it out!

    2. BongoJoe

      Perhaps he prefers to use a stable system. As I do for my development; the Win7 machine is too flaky compared to XP.

      1. This post has been deleted by its author

        1. BongoJoe

          Or perhaps Win7 doesn't let your dodgy apps run rampantly through the system raping whatever they like along the way? ;)

          I wish my apps would do something fun and interesting like that but, alas, they don't.

          I should have made my post a little more clear; I meant the development platforms on XP are more solid than on Win 7 and they move faster too which is why my live data cruncher runs on XP as I can't hang around all night for W7.

          Mind you, if I could only find my Win2K disks...

      2. NumptyScrub

        Perhaps he prefers to use a stable system. As I do for my development; the Win7 machine is too flaky compared to XP.

        If a professional developer does not understand the implications of using an outdated and unsupported version of someone else's software, then I really don't know what to say.

        I am disappoint.

        1. BongoJoe

          Well, if no-one is able to access the machine then it makes no difference if it is supported or not. And are all of the bugs, exploits, holes stomped on, fixed or blocked in the latest o/s? No.

          Then it doesn't matter two hoots what I use.

          Secondly, there are some compatability issues with the later o/s which aren't in the older ones for some applications which MS have 'promised' to fix and haven't.

          And, lastly, shove XP on a new machine run a massive database bashing exercise (say a few million SQL queries) then do the same on Win7. Compare the run times for both.

          And if you are still disappoint (sic) then, fair enough, I deserve that downvote.

          1. Anonymous Coward
            Anonymous Coward

            I would not run a database nor on XP nor on W7. Neither are optimized for server tasks. Anyway the OS matters little when it comes to databases - raw I/O speed and memory size matter far more. And here a 64 bit 7 will outperform any 32 bit XP - and even a 64 bit XP which was mostly a "proof of concept". Moreover the 7 kernel is far better optimized to use a large amount of memory and multicore processors (which were not available when XP was designed - IIRC XP came also with an HAL optimized for single core single processor hardware...)

            And if you're just running the client running the queries against a DB server, well, again, the OS matters very little....

            If your code shows huge differences between the two OS, I guess you have some hidden issues in your code.

            Surely not all bugs are fixed in 7, but XP won't get any bugs fixed. And newer apps may use APIs not available on XP.

          2. NumptyScrub

            Well, if no-one is able to access the machine then it makes no difference if it is supported or not. And are all of the bugs, exploits, holes stomped on, fixed or blocked in the latest o/s? No.

            Then it doesn't matter two hoots what I use.

            It was more a dig aimed at the usual response given when someone asks for help with issues with Software v(N-2), aka "version N is the currently supported version, please upgrade".

            An airgapped XP machine is as secure as any airgapped machine. I'd still recommend rebuilding that dodgy Win7 box (it should be stable, we have stable Win7 boxen here) and when you have it working properly, migrate to that as your dev box. The additional thread scheduling and handling thingies, and the ability to just throw RAM at the problem (yay 64-bit OS!) hopefully outweigh the effort of kicking it into shape.

            Secondly, there are some compatability issues with the later o/s which aren't in the older ones for some applications which MS have 'promised' to fix and haven't.

            Whenever I've had support requests for older apps on a newer OS, I've usually gone the route of upgrading the user to the version which is certified to work with the newer OS (and waiting for that version to be released, in one or 2 cases). I don't know how much effort is required to build Win7 / 8 / 10 compatible apps out of an older XP codebase, however given XP is unsupported I had kind of assumed that everyone would be making the switch anyway.

            And, lastly, shove XP on a new machine run a massive database bashing exercise (say a few million SQL queries) then do the same on Win7. Compare the run times for both.

            So, assuming you mean to run both on the same hardware and only the OS differs, I'll specify a machine with an i7 5960X (8 core with hyperthreading), 32GB RAM and running 2x 512GB SSDs in a RAID stripe. I've deliberately picked stuff I think XP will struggle to support or use; 16 virtual cores (does the XP HAL allow for 16 simultaneous threads?), more than 4GB of RAM (32-bit XP will also only allocate 2GB to any one user process), and SATA3 drives.

            Will XP be quicker in that situation? I suspect not, because I've skewed it to try and hobble XP. However any enthusiast (and most corporate number crunching users) run a 64-bit OS and have >4GB RAM for very similar purposes. We have a few data analysts here that run local database servers (16+GB RAM in those boxes), are you sure that they would see a performance increase if I were to switch them to XP?

            1. This post has been deleted by its author

  8. Richard Hewitt

    Loving the 'Hero' image that goes with this article on the front page. Not. A really really low quality stretched Stock image of cones. No image is better, really!

    1. Dan 55 Silver badge
      Thumb Up

      Couldn't we have had The Coneheads at least?

      So much image space, so little idea of what to do with it...

    2. John Brown (no body) Silver badge
      Thumb Up

      "Stock image of cones"

      Yes, a tenuous link to the VLC default icon/logo but I see you've shamed someone at El Reg into removing it from the article now. Well done!

      1. Anonymous Coward
        Anonymous Coward

        But.. but.. I liked the cones...

        1. Mad Chaz

          Lister: We’re on a mining ship, 3 million years into deep space. Can someone explain to me where the smeg I got this traffic cone?

          Cat: Hey, it’s not a good night unless you get a traffic cone! It’s the policewoman’s helmet and the suspenders that I don’t understand!

  9. chivo243 Silver badge
    Trollface

    Just two file types

    "FLV" only some stupid clips my friend sent me... or M2V call me n00b here, can't say I've played one. Are either of these formats "mainstream" in any way. Should I be worried? Maybe I can't feel the sky falling here...

    1. Preston Munchensonton
      Facepalm

      Re: Just two file types

      That was my first thought as well. Given the lack of portability of FLV and M2V compared to other formats (MP4), I can't imagine I've used either since the days of Win98. I'm sure there'll be some l33t troll that will claim this upsets their entire home setup, but surely this is much ado about nothing, in terms of impact.

  10. Looper
    Flame

    Attention Seeking Clown...

    or Awareness Forcing Mercenary?

    I'm guessing the former.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like