VLC video player has gaping security hole and there's no fix available
The Germans have discovered that the latest stable 184.108.40.206 version of the VideoLAN media player has a head-based buffer over-read in the demux code for mkv containers. Simply opening a carefully crafted video file using the mkv container is enough to have evil code executed on the system. The vulnerability affects both GNU/Linux and Windows machines.
Concretely, the function mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp will read more data into memory than it should when it is called from mkv::Open in modules/demux/mkv/mkv.cpp. VLC will detect the demuxer even if the file extension is wrong so a specially crafted mkv file could be named exploit.mp4.
German CERT-Bund describes the risk as "hoch". The vulnerability is assigned CVE number 2019-13615.
While the Germans are in theory right when they claim the risk is "hoch" it's in practice near-zero. Someone could go through the trouble of creating a specially crafted .mkv file just for you and attempt to social engineer you into opening it if you are a high value target. The odds of randomly encountering such a specially crafted file which works on your machine is low. Then there is the issue of compatibility. Both GNU/Linux and Windows versions of VLC are vulnerable but Windows exploit code will not work on GNU/Linux and vice versa.
You may want to use mpv instead of VLC for the time being if you consider yourself a high-value target. If the excitement of opening potentially dangerous video files in VLC until a fixed version is released is worth the risk or not is a very personal choice.
published 2019-07-21 - last edited 2019-07-21
Latest News Headlines
- Fedora 31 is branched: Here are the high-lights in the next Fedora version
- Creating Worms exploiting Windows Remote Desktop Vulnerabilities knock on port 3389
- Happy Birthday Debian
- AMD finally submits kernel patch for broken RDRAND on older AMD APUs
- Tor Snowflake launched as a censorship countermeasure for the The Onion Router network
- Treasure-trove of internal Google documents showing censorship and bias leaked by insider
- Linux Kernel 5.3-rc4 released
- Xfce 4.14 Released
- Xfce Image Viewer Ristretto 0.10.0 released
See the more archive for news headlines