[Solved] VLC 3.0.3 detected as safe

Reply to [Solved] VLC 3.0.3 detected as safe on Sun, 30 Dec 2018 09:50:24 GMT

OLLI_S — Sun, 30 Dec 2018 09:50:24 GMT

@GregAlexandre OK, then I mark the topic as Solved

Reply to [Solved] VLC 3.0.3 detected as safe on Sat, 29 Dec 2018 17:51:49 GMT

GregAlexandre — Sat, 29 Dec 2018 17:51:49 GMT

@Tom
From changelog 3.0.4 to 3.0.5
"Update numerous 3rd party libraries, including for minor security issues"

This subject could be close.

Thanks a lot Tom.

Reply to [Solved] VLC 3.0.3 detected as safe on Fri, 28 Dec 2018 16:00:09 GMT

Anselm — Fri, 28 Dec 2018 16:00:09 GMT

@Tom Thank you, I updated it yesterday ;-)

Reply to [Solved] VLC 3.0.3 detected as safe on Fri, 28 Dec 2018 14:57:09 GMT

Tom — Fri, 28 Dec 2018 14:57:09 GMT

@Anselm VLC 3.0.5 is out

Reply to [Solved] VLC 3.0.3 detected as safe on Thu, 06 Dec 2018 09:30:14 GMT

Anselm — Thu, 06 Dec 2018 09:30:14 GMT

@Anselm Correction: OK, i did not see it yesterday at cve.mitre.org using the search. But now i knew why:
Date Entry Created
20181205

Reply to [Solved] VLC 3.0.3 detected as safe on Thu, 06 Dec 2018 08:51:42 GMT

Anselm — Thu, 06 Dec 2018 08:51:42 GMT

@Tom OK, i did not see it at cve.mitre.org using the search.

Reply to [Solved] VLC 3.0.3 detected as safe on Thu, 06 Dec 2018 08:48:11 GMT

Tom — Thu, 06 Dec 2018 08:48:11 GMT

@Anselm See this:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19857

Reply to [Solved] VLC 3.0.3 detected as safe on Wed, 05 Dec 2018 20:31:56 GMT

Anselm — Wed, 05 Dec 2018 20:31:56 GMT

@Tom says, 3.0.2, 3.0.3, 3.0.4 are not insecure, but 3.0.4 is recommended . I only found an information, that 3.0.1 is insecure.

Reply to [Solved] VLC 3.0.3 detected as safe on Wed, 05 Dec 2018 19:58:17 GMT

OLLI_S — Wed, 05 Dec 2018 19:58:17 GMT

Tom, is the issue solved (after you flagged all versions as being "Insecure")?

Reply to [Solved] VLC 3.0.3 detected as safe on Wed, 05 Dec 2018 13:11:28 GMT

Tom — Wed, 05 Dec 2018 13:11:28 GMT

Thank you.

Yeah, well, as we discussed that, it seems that a guy has found a vuln in 3.0.4.

So it is time to flag all versions as being "Insecure" :(

Let's hope a new release of VLC comes out one of the next days.

CVE Details is a great site for getting some high level information about the history of a product.

However, CVE itself, has seen better days, unfortunately a lot of vulns are assigned CVEs rather late and a lot never receives a CVE.

Just look at yesterdays Chrome release, where some of the vulns are "To be allocated [a CVE]". That seems odd for such a significant app as Chrome:
https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html

Reply to [Solved] VLC 3.0.3 detected as safe on Wed, 05 Dec 2018 11:07:04 GMT

Anselm — Wed, 05 Dec 2018 11:07:04 GMT

FYI:
Common Vulnerabilities and Exposures (CVE):

https://www.cvedetails.com/version-list/5842/9978/1/Videolan-Vlc-Media-Player.html

https://www.cvedetails.com/product/9978/Videolan-Vlc-Media-Player.html?vendor_id=5842

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=VLC

Reply to [Solved] VLC 3.0.3 detected as safe on Tue, 04 Dec 2018 10:40:17 GMT

Tom — Tue, 04 Dec 2018 10:40:17 GMT

Unless some more tangible report comes out, then we will keep flagging 3.0.2, 3.0.3 and 3.0.4 as "OK", with 3.0.4 being the recommended version.

But thank you for reporting this, in this time and age you can't just rely on vendors to report all issues, so when you see reports elsewhere, then please post here or send me a chat message and we will investigate.

Reply to [Solved] VLC 3.0.3 detected as safe on Sun, 02 Dec 2018 20:10:06 GMT

Anselm — Sun, 02 Dec 2018 20:10:06 GMT

Maybe a copy paste error?

https://portableapps.com/news/2018-09-01--vlc-media-player-portable-3.0.4-released (This version fixes a critical security issue in VLC.)
https://portableapps.com/news/2018-05-31--vlc-media-player-portable-3.0.3-released ( This version fixes a critical security issue in VLC.)
https://portableapps.com/news/2018-05-06--vlc-media-player-portable-3.0.2-released (This version fixes a critical security issue in VLC. )
https://portableapps.com/news/2018-03-21--vlc-media-player-portable-3.0.1-released (This version fixes a critical security issue in VLC.)

Reply to [Solved] VLC 3.0.3 detected as safe on Sun, 02 Dec 2018 19:13:15 GMT

GregAlexandre — Sun, 02 Dec 2018 19:13:15 GMT

Hi Tom,

When I launched VLC I got a message that a new version was available and fixing security issues. I patched, reported and did not look for anything else: as you pinpointed they are quite good for security and providing information.

I remember that I was a bit surprised to have miss this in security bulletins that I receive: it seems that I was not so bad.:relaxed:

I am not alone with this: https://portableapps.com/news/2018-09-01--vlc-media-player-portable-3.0.4-released

I also found that (https://www.wilderssecurity.com/threads/vlc-3-0-vetinari-released.400558/page-3):

"The changelog for 3.0.4 doesn't mention security fixes specifically, but the release notes in the built-in updater do:
VideoLAN and the VLC development team present VLC 3.0 "Vetinari".
VLC 3.0.4 is a minor update to VLC 3.0 branch, fixes numerous hardware decoding issues, adds support for AV1 streams and fixes security issues. It also improves the support for numerous formats, and regressions in video quality compared to 2.2.x, in certain cases.""

I am quite sure that I read this somewhere as I was surprised they let regressions and that I had (have) no idea of what is an "AV1 stream".

Hope this helps.
Regards.
Greg.

Reply to [Solved] VLC 3.0.3 detected as safe on Tue, 27 Nov 2018 12:29:29 GMT

Tom — Tue, 27 Nov 2018 12:29:29 GMT

@Anselm Thank you

Reply to [Solved] VLC 3.0.3 detected as safe on Mon, 26 Nov 2018 22:07:49 GMT

Anselm — Mon, 26 Nov 2018 22:07:49 GMT

FYI:
https://www.videolan.org/security/ "... Please note: The VideoLAN project does not issue security advisories for underlying third party libraries. Please refer to the concerned third parties as appropriate. ..."

BTW, there is a secuirty issue in LIVE555 media streaming library, but this should not influence vlc, see:

https://www.hackread.com/watch-out-for-this-vulnerability-in-vlc-mplayer/ (October 20th, 2018)
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4013

Reply to [Solved] VLC 3.0.3 detected as safe on Mon, 26 Nov 2018 12:52:47 GMT

Tom — Mon, 26 Nov 2018 12:52:47 GMT

Hi Greg,

3.0.4 has actually been out for a while, but when we added the rule it wasn't yet the recommended version - this I have updated now - thank you.

Where did you get the information 3.0.3 is vulnerable?

As you can see, there is (at the time of writing) no official information on the VLC site, and they are usually good at providing this information:
https://www.videolan.org/news.html
https://www.videolan.org/security/

/Tom