1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News VLC Player hit by buffer overflow vulnerability in third party library

Discussion in 'Article Discussion' started by bit-tech, 22 Jul 2019.

  1. bit-tech

    bit-tech Supreme Overlord Lover of bit-tech Administrator

    Joined:
    12 Mar 2001
    Posts:
    3,676
    Likes Received:
    138
    Read more
     
  2. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,428
    Likes Received:
    7,278
    Article updated: the flaw is not in VLC Player, but in a third-party library - and even then only in versions shipped prior to late April 2018, which are unfortunately still included by default in selected Long Term Support Linux distributions.
     
  3. Bitten

    Bitten What's a Dremel?

    Joined:
    5 Feb 2017
    Posts:
    26
    Likes Received:
    3
    So a correct - though much less clickbaity - article title might be "Older versions of VLC have vulnerability". And the article might helpfully tell us how to check the date on the vulnerable module (which I don't find in my Windows installation).
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,428
    Likes Received:
    7,278
    Ahem:
    I don't - knowingly - do clickbait. Never have. I don't see any page view metrics, I'm not paid based on said metrics, and it literally doesn't make a difference to me whether one person reads a story or a million (though it probably does to The Powers That Be.) The headline was accurate to the information available at the time; it has been updated following the release of new information.

    If you're running Windows, you don't need to check; the library is bundled and has been the updated version since VLC 3.0.3.
     
  5. Fizzban

    Fizzban Man of Many Typos

    Joined:
    10 Mar 2010
    Posts:
    3,691
    Likes Received:
    275
    Gareth and click-bait don't go in the same sentance. The man works hard to report the news accurately, typos not withstanding. Just be sure when correcting him that you are, in fact, correct. Or be prepared to get schooled. Or don't. Him schooling people makes for entertaining reading ;)
     
    yuusou and Gareth Halfacree like this.
  6. Bitten

    Bitten What's a Dremel?

    Joined:
    5 Feb 2017
    Posts:
    26
    Likes Received:
    3
    The title is "VLC Player hit by buffer overflow vulnerability in third-party library". I of course thought that my VLC player is vulnerable and so read the article immediately. Turns out that only old installations are at risk. And it didn't tell me what to look for in Windows.

    Most readers here will have the same experience: needless spin-up; and then no directly usable info. Hence my original comment.

    It reminds me of the WinRAR vulnerability earlier this year - every website proclaimed it but not a single one even mentioned that you could and should simply delete unacev2.dll. They all went on about code age and ownership, patches, and updates, and how unlikely those were etc etc. Probably half of the readers - all of whom could easily have eliminated the risk - ultimately did nothing because it seemed too complicated.

    So I have no patience for malware announcements that are anything like that. I want to know quickly (1) does it apply to my PC; (2) how can I tell if I'm actually at risk, and (3) what is the smartest thing to do about it. This article, even as edited, falls short on making any of these clear.
     
  7. yuusou

    yuusou Multimodder

    Joined:
    5 Nov 2006
    Posts:
    2,967
    Likes Received:
    1,038
    This news article, such as a news article is and should be, provides news. It's not a technical support article. You're perhaps right about the title, but that's about as far as the changes need to go.
     
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,428
    Likes Received:
    7,278
    That's the updated title, yes. It didn't say "in third party library" originally because that's what the story was two days ago when I wrote it. It isn't any more, because new information has come to light and I've updated the story. The forum thread still has the old title, but the article doesn't. Click it, see for yourself. Hell, I'll update the forum thread title too, if you like.
    That's not the case: read the article again. Even the most up-to-date VLC is vulnerable if you're using the vulnerable library version - but that information wasn't available two days ago. According the the information that was available two days ago, all versions up to the latest beta were vulnerable. The article was updated *within an hour* of VideoLAN declaring that not to be the case and pointing to the third-party library as the culprit.

    Incidentally, I don't get paid for updating existing articles. I'm contracted to do three 250-word news articles per day. Every single word over that, every update, every vendor comment, every forum post comes from my love of the community here. And my desire to have the last word in any debate.

    Mostly my desire to have the last word in any debate.
     
    Last edited: 24 Jul 2019
Tags: Add Tags

Share This Page