Forum Thread: VLC Media Player update

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
jonrichco VLC Media Player update
Member 5th Mar, 2012 08:45
Ranking: 0
Posts: 23
User Since: 27th Nov, 2008
System Score: N/A
Location: AU
Secunia advises that VLC 1.1.11 is insecure and to update to 1.1.13. The latter does not seem to exist. The current version of VLC is 2.0.

M.Rehman RE: VLC Media Player update
Secunia Official 5th Mar, 2012 14:21
Score: 25
Posts: 41
User Since: 12th May 2011
System Score: N/A
Location: Copenhagen, DK
Hi.

The VLC 1.1.11 is the latest install-able version, however it is insecure.
1.1.13 is the latest patched version, however, there are no binary releases.
in other words, there are no installers you can just run.

the issue is in a file in the folder called "plugins" and the 1.1.13 is the fixed dll-file which has to replace the old one from 1.1.11

the dll file does not have any metadata, so we cannot detect it, however, we've made a special package for this.

When you run the update from the PSI, it'll switch the old insecure file, with the new secure one, however due to no metadata changes in any of the detectable files, the PSI cannot detect anything.
If you go to your VLC folder, you'll see a folder called "plugins" in that folder, a file is called "libty_plugin.dll"
This is the insecure file.
if you look at this file after running the Secunia package, you'll notice that the time stamp for this is different from all the other files in the folder.

Hope this helps understanding the issue with VLC.

--
Kind regards,

Munib Rehman
Secunia Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
jonrichco RE: VLC Media Player update
Member 5th Mar, 2012 14:47
Score: 0
Posts: 23
User Since: 27th Nov 2008
System Score: N/A
Location: AU
Thanks Munib, but not really

I cannot see any reason for PSI to recommend a patch that doesn't exist within the program and not to recommend a new version which is what I (and I expect 90% of VLC users) would want.
Was this reply relevant?
+0
-0
Maurice Joyce RE: VLC Media Player update
Handling Contributor 5th Mar, 2012 14:54
Score: 12085
Posts: 9,371
User Since: 4th Jan 2009
System Score: N/A
Location: UK
The comments made here by Anthony Wells make good reading for Secunia Support.

http://secunia.com/community/forum/thread/show/122...

--
Maurice

Microsoft Surface 4 Intel i7 64Bit
Windows 10 Pro version 1607
16 GB RAM
IE & Edge Only
Was this reply relevant?
+2
-0
Anthony Wells RE: VLC Media Player update
Expert Contributor 5th Mar, 2012 15:57
Score: 2500
Posts: 3,386
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello all ,

To update things quickly , it may be that the problem lies in the SA47325 :-

http://secunia.com/advisories/47325/

I have had version 1.1.11 on my system since it's launch on/around 15.07.2011 and PSI was happy with this until 22.02.2012 .

This means that 1.1.12 of 07.10.2011 was ignored as one would expect (a workaround for Windows) . Also 1.1.13 was ignored from 21.12.2011(first date of SA47325) until the SA was modified on 22.02.2012 which also happens to be the launch date for 2.0.0.

I have no idea why Secunia applies a "patch" which cannot be detected by the PSi - so usually called a "workaround" - and calls it 1.1.13 , when a much improved upgrade/update is available :ie: version 2.0.0 on the same date .

Without labouring the point , at least we can see the problem and deal with it in PSI 2.0.x whereas the the other (linked) thread shows the difficulty/impossibility of the current 3.0. BETA .

Must dash , take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
M.Rehman RE: VLC Media Player update
Secunia Official 5th Mar, 2012 16:00
Score: 25
Posts: 41
User Since: 12th May 2011
System Score: N/A
Location: Copenhagen, DK
after having the discussion in our team, and due to the fact that VLC 1.1.12 has a vulnerability that is not fixed in 1.1.13 but in 2.0, we have decided to update the version rule for 2.0

this way we will get both the vulnerability fixed for earlier in 1.1.13, and the vulnerability from 1.1.12 fixed in 2.0.

--
Kind regards,

Munib Rehman
Secunia Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
Anthony Wells RE: VLC Media Player update
Expert Contributor 5th Mar, 2012 16:09
Score: 2500
Posts: 3,386
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi Munib ,

That was quick :)))

Are you infact referring to this problem which was not fixed in 1.1.11 and has been around since 1.1.4 and caused much polemic in the Forum ?? :-

http://secunia.com/advisories/41810/

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
M.Rehman RE: VLC Media Player update
Secunia Official 7th Mar, 2012 15:16
Score: 25
Posts: 41
User Since: 12th May 2011
System Score: N/A
Location: Copenhagen, DK


--
Kind regards,

Munib Rehman
Secunia Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
Anthony Wells RE: VLC Media Player update
Expert Contributor 7th Mar, 2012 21:44
Score: 2500
Posts: 3,386
User Since: 19th Dec 2007
System Score: N/A
Location: N/A


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.