navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
VLC Media Player SWF Video Decoding Use-After-Free Vulnerability

Secunia VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Secunia Official 17th Feb, 2013 18:55
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to a use-after-free error when releasing a picture object during video decoding of Flash (SWF) files. This can be exploited to reference an object's callback function pointer from already freed memory.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 2.0.4. Other versions may also be affected.

klausus02 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 17th Feb, 2013 18:55
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 19th Feb, 2013 10:19
@ Research team

Hi,

there exists the thread
https://secunia.com/community/forum/thread/show/13...

On 5th Feb 2013 I posted new information about SA51464 inside this thread..

Following my line of argument I hold the view that SA51464 has to be seen as fixed with VLC 2.0.5.

What do you think about? I would be very pleased if you could have a look on what I discovered. May be you can give a short feedback?

Regards
Klaus
Was this reply relevant?
+1
-1
gregorio2 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 18th Apr, 2013 01:00
Score: 2
Posts: 14
User Since: 20th Jan 2009
System Score: N/A
Location: US
Version 2.0.6 available as of 11 Apr 2013 per Jean-Baptiste Kempf over at VideoLAN.
As stated earlier in their forum the fix for this is in 2.0.6.

Was this reply relevant?
+0
-0
Bundaburra RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 22nd Apr, 2013 07:34
Score: 0
Posts: 21
User Since: 18th Feb 2008
System Score: 100%
Location: AU
I have installed VLC 2.0.6, tested and works OK, and in "scan results" it says that this version is patched and up to date. But in "secure browsing" I am still getting SA51464, saying that it is "unpatched, no vendor solution", and "there are still known security problems with this program that the vendor has yet to address."

A note at the end of SA51464 says that the issue is fixed in 2.0.6, so what is the current status?

Was this reply relevant?
+0
-0
mogs RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Expert Contributor 22nd Apr, 2013 13:42
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Bundaburra

Having installed all available patches....your Scan Results report that you are up to date......tho' you are up to date.....SA51464 still shows :-
Extract
Solution
No official solution is currently available.
http://secunia.com/advisories/51464/#

Hope it helps.......regards.....mogs

--
Was this reply relevant?
+1
-1
Bundaburra RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 23rd Apr, 2013 03:09
Score: 0
Posts: 21
User Since: 18th Feb 2008
System Score: 100%
Location: AU
I knew all of that.

See above: "Version 2.0.6 available as of 11 Apr 2013 per Jean-Baptiste Kempf over at VideoLAN. As stated earlier in their forum the fix for this is in 2.0.6."

The question remains unanswered: has the issue really been fixed in VLC 2.0.6 as stated, and SA51464 is now incorrect (and incorrectly reporting a security issue), OR has the problem not been fixed, and SA 51464 is still valid?

Was this reply relevant?
+0
-0
mogs RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Expert Contributor 23rd Apr, 2013 06:51
Score: 2265
Posts: 6,268
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Bundaburra

Just checked the Secunia Advisory again....http://secunia.com/advisories/product/39838/?task=...
Extracts
Vulnerability Report: VLC Media Player 2.x
This vulnerability report for VLC Media Player 2.x contains a complete overview of all Secunia advisories affecting it. You can use this vulnerability report to ensure that you are aware of all vulnerabilities, both patched and unpatched, affecting this product allowing you to take the necessary precautions.

If you have information about a new or an existing vulnerability in VLC Media Player 2.x then you are more than welcome to contact us.

and

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting VLC Media Player 2.x, with all vendor patches applied, is rated Highly critical undefined.

If the issue had been fixed...you'd be reading :-
Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied..

--
Was this reply relevant?
+1
-0
klausus02 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 23rd Apr, 2013 18:25
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
on 23rd Apr, 2013 06:51, mogs wrote:


...
If the issue had been fixed...you'd be reading :-
Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied..


As you may see in what I posted on 17th Feb, 2013 I presented my thoughts/findings concerning SA51464.

I don't realy expect videoLan to announce further official statements to this case. I feel all of us have to live with the fact that the release notes of VLC 2.0.5 are not cleary related to SA51464.

.. but I never give up hope..

- regards
Klaus
Was this reply relevant?
+0
-0
gregorio2 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 24th Apr, 2013 02:14
Score: 2
Posts: 14
User Since: 20th Jan 2009
System Score: N/A
Location: US
https://trac.videolan.org/vlc/ticket/7860 (Bug Tickets)

This link shows the bug reported by Kaveh as closed / fixed.

Looking at : http://www.videolan.org/security/ , "Past security advisories",
I do not see it and therefore do not think VideoLan every issued a Security Advisory for this bug. Secunia did, but VideolLan did not and that is a big point.

Maybe that was in keeping with policy stated at top of their page:

"Note well: The VideoLAN project does not issue security advisories for underlying third party libraries. Please refer to the concerned third parties as appropriate."

As far as Secunia waiting for follow up to a SA from VideoLan that was never issued, I guess you will be waiting forever.

There has been a lot of ridiculous confusion regarding this bug and I think the problem lies in bad communications between Secunia and VideoLan. (and forum posts that clouded the issue.)
Secunia and VideoLan need to better understand how each works.

But regardless:
https://trac.videolan.org/vlc/ticket/7860
shows the bug as CLOSED/FIXED.
Last date entry 2013-01-03 but first fixed 2012-12-11, so as stated previously this bug was
fixed in version 2.0.5.
Secunia Advisory SA51464 Solution Status should read Patched in 2.0.5
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Expert Contributor 26th Apr, 2013 17:56
Score: 2463
Posts: 3,348
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 26th Apr, 2013 18:02
Hi ,

Version 2.0.5 fixes :-

http://secunia.com/advisories/51692/

version 2.0.6 fixes :-

http://secunia.com/advisories/51995/

the ongoing problem of SA51464 has still not (apparently) been resolved by VideoLAN to Secunia's satisfaction , as can be seen here :-

http://secunia.com/advisories/product/39838/?task=...

From past experience :-

Secunia have very specific rules concerning their role in the Security community and the designation of vulnerabilities and patches ; so the ball is firmly in the VideoLAN court and is unlikely to move from there anytime soon , If ever .

No amount of posting here will change things or get a direct reply from Secunia until Emil Jeppesen has something new to tell you - of course , that does not prohibit you from posting .

Take care

Anthony.


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+4
-0
klausus02 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 10th May, 2013 08:30
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 10th May, 2013 09:01
on 26th Apr, 2013 17:56, Anthony Wells wrote:
Hi ,

Version 2.0.5 fixes :-

http://secunia.com/advisories/51692/

version 2.0.6 fixes :-

http://secunia.com/advisories/51995/

the ongoing problem of SA51464 has still not (apparently) been resolved by VideoLAN to Secunia's satisfaction , as can be seen here :-

http://secunia.com/advisories/product/39838/?task=... ...


Anthony, are you shure that your examples are appropriate to describe/underline Secunia's rules?

The is one big point which distinguishes SA51692/SA51995 from SA51464. For both SA51692 and SA51995 there exist CVE References plus own VideoLan security advisories. And therefore VideoLan refers to vlc-versions which fix these bugs.

But this isn't the case for SA51464! VideoLan never accepted SA51464 offcially. They only got the corresponding ticket #7860 created by coolkaveh (Kaveh Ghaemmaghami). And this ticket was fixed before releasing vlc 2.0.5. So, this bug is fixed for them. Why should VideoLan move some ball? They have no interest to satisfy Secunia's rules.

I think there are two ways for Secunia to handle SA51464: Either accepting closed ticket #7860 as solution or keeping SA51464 for enternity.

Just for my information: what kind of very specific rules does Secunia follow?

Is it possible for Secunia to accept vulnerability reports not until a corresponding CVE Reference is created?

- regards
Klaus
Was this reply relevant?
+0
-0
lmacri RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 24th May, 2013 17:43
Score: 42
Posts: 87
User Since: 9th Sep 2009
System Score: N/A
Location: CA
Last edited on 24th May, 2013 18:00
I ran a scan with PSI 2.0.0.3003 today and SA51464 is no longer dispayed as unpatched for VLC Media Player 2.x under Secure Browsing. I checked http://secunia.com/advisories/51464/ and confirmed that Secunia marked this vulnerability as patched for VLC Media Player v. 2.0.6 on 22-May-2013.


--
Vista Home Premium SP2 32-bit * NIS 2013 v. 20.5.0.28 * IE 9 * FF v. 31.0 * PSI v. 2.0.0.3003
Was this reply relevant?
+0
-0
Bundaburra RE: VLC Media Player Video Files Decoding Use-After-Free Vulnerability
Member 2nd Sep, 2013 10:17
Score: 0
Posts: 21
User Since: 18th Feb 2008
System Score: 100%
Location: AU
Last edited on 2nd Sep, 2013 10:24
VLC 2.0.8 is being flagged by SA51464: "Unpatched, no vendor solution".
Was this reply relevant?
+0
-0
lmacri RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 2nd Sep, 2013 15:59
Score: 42
Posts: 87
User Since: 9th Sep 2009
System Score: N/A
Location: CA
Last edited on 3rd Sep, 2013 03:33
Hi Bundaburra:

If you haven't read it yet, Secunia posted an interesting blog entry on the topic of SA51464 at http://secunia.com/blog/shooting-the-messenger-372... There is an explanation in that blog entry as to why Secunia updated their decision in July 2013 to flag VLC Media Player v. 2.0.7 (and v. 2.0.8, it would seem) as unpatched.

The reader comments under that blog entry also have some interesting links.

--
Vista Home Premium SP2 32-bit * NIS 2013 v. 20.5.0.28 * IE 9 * FF v. 31.0 * PSI v. 2.0.0.3003
Was this reply relevant?
+2
-0
earthsound RE: VLC Media Player Video Files Decoding Use-After-Free Vulnerability
Member 15th Feb, 2014 21:54
Score: -9
Posts: 14
User Since: 10th Dec 2008
System Score: N/A
Location: Hoover, AL, US
Last edited on 15th Feb, 2014 21:54
According to the VLC developer TypX, who handles the mastroska demux, the MKV fix was backported to the 2.0.x line. Has Secunia verified that this use-after-free is in the current 2.0.x or 2.1.x versions of VLC?
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 31st Jul, 2014 11:01
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@Secunia Officials
Nearly 18 months have passed. In the meantime videolan has released 8 further versions.

The current version now is VLC 2.1.5 .

I feel SA51464 has been unclear form the beginning.
Has Secunia, or Kaveh Ghaemmaghami who reported the issue, proved again that SA51464 is still valid?

May be this link could help to get some idea:
http://www.reddit.com/r/netsec/comments/1hy601/vlc...

I would be very pleased if SA51464 could be verifed again for vlc 2.1 5.

-regards
Klaus
Was this reply relevant?
+1
-0
klausus02 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 6th Aug, 2014 11:13
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Secunia Officials
In my last post I asked Secunia to verify SA51464 again. I have to state now that I was messed up.

Those time I was using VLC 2.1.5 (64-bit).

This time I installed VLC 2.1.5 (32-bit). And now firefox is flagged as secure in SecureBrowsing by PSI2 !!!

Whats going on here ??

Facts:

1. VLC 2.1.5 (32-bit) comes with plugin-dll npvlc.dll (version 2.1.3.0)
2. VLC 2.1.5 (64-bit) comes with plugin-dll npvlc.dll (version 2.2.0.0)

Why is npvlc.dll (version 2.1.3.0) seen as secure whereas npvlc.dll (version 2.2.0.0)
is seen as unsecure?

Obviously there must exist an inconsistency inside the PSI database or a missing description in SA51464. This is very confusing to me.

Secunia Officials, can you bring some light inside, please?

-regards
Klaus
Was this reply relevant?
+0
-0
lmacri RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 6th Aug, 2014 19:33
Score: 42
Posts: 87
User Since: 9th Sep 2009
System Score: N/A
Location: CA
Last edited on 6th Aug, 2014 19:37
on 6th Aug, 2014 11:13, klausus02 wrote:

This time I installed VLC 2.1.5 (32-bit). And now firefox is flagged as secure in secureBrowsing by PSI2 !!!


Hi klausus02:

I have 32-bit VLC Media Player v. 2.1.5 running on 32-bit Vista. I just ran a scan with PSI v. 2.0.0.3003 and Secure Browsing still reports VLC as "Unpatched, no vendor solution" for SA51464 in both my IE9 and Firefox 31 browsers.

I confirmed that C:\Program Files\VideoLAN\VLC\npvlc.dll is v. 2.1.3.0 on my 32-bit system.

--
Vista Home Premium SP2 32-bit * NIS 2013 v. 20.5.0.28 * IE 9 * FF v. 31.0 * PSI v. 2.0.0.3003
Was this reply relevant?
+0
-0
Bundaburra RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 7th Aug, 2014 01:14
Score: 0
Posts: 21
User Since: 18th Feb 2008
System Score: 100%
Location: AU
I have VLC Media Player 2.1.5, 64 bit version, running on Windows 7 64 bit. This version of VLC includes npvlc.dll version 2.2. A scan run just now still says "Unpatched, no vendor solution" for SA51464..
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 7th Aug, 2014 10:27
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
on 6th Aug, 2014 19:33, lmacri wrote:
Hi klausus02:

I have 32-bit VLC Media Player v. 2.1.5 running on 32-bit Vista. I just ran a scan with PSI v. 2.0.0.3003 and Secure Browsing still reports VLC as "Unpatched, no vendor solution" for SA51464 in both my IE9 and Firefox 31 browsers.

I confirmed that C:\Program Files\VideoLAN\VLC\npvlc.dll is v. 2.1.3.0 on my 32-bit system.


@Imacri
I can confirm your results! And I am confused. When I posted my results yesterday the situation was completely different.
Was this reply relevant?
+0
-0
klausus02 RE: VLC Media Player SWF Video Decoding Use-After-Free Vulnerability
Member 7th Aug, 2014 10:30
Score: 4
Posts: 74
User Since: 4th Feb 2011
System Score: N/A
Location: DE
on 7th Aug, 2014 01:14, Bundaburra wrote:
I have VLC Media Player 2.1.5, 64 bit version, running on Windows 7 64 bit. This version of VLC includes npvlc.dll version 2.2. A scan run just now still says "Unpatched, no vendor solution" for SA51464..


@Secunia Official !!
Can you help here ??
Was this reply relevant?
+0
-0


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+