SecTeer VulnDetect & PatchPro Support Forum VulnDetect
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Download VulnDetect Installer
    • Login

    [Solved] VLC 3.0.3 detected as safe

    Scheduled Pinned Locked Moved Solved Detection Issues
    19 Posts 4 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      GregAlexandre
      last edited by OLLI_S

      Hi,
      VLC 3.0.3 is known to haves security issues and replaced by 3.0.4.
      Regards.
      Greg.

      1 Reply Last reply Reply Quote 0
      • T Offline
        Tom VulnDetect Team Member
        last edited by Tom

        Hi Greg,

        3.0.4 has actually been out for a while, but when we added the rule it wasn't yet the recommended version - this I have updated now - thank you.

        Where did you get the information 3.0.3 is vulnerable?

        As you can see, there is (at the time of writing) no official information on the VLC site, and they are usually good at providing this information:
        https://www.videolan.org/news.html
        https://www.videolan.org/security/

        /Tom

        /Tom
        Download the latest SecTeer VulnDetect agent here:
        https://vulndetect.com/dl/secteerSetup.exe

        1 Reply Last reply Reply Quote 0
        • A Offline
          Anselm
          last edited by

          FYI:
          https://www.videolan.org/security/ "... Please note: The VideoLAN project does not issue security advisories for underlying third party libraries. Please refer to the concerned third parties as appropriate. ..."

          BTW, there is a secuirty issue in LIVE555 media streaming library, but this should not influence vlc, see:

          https://www.hackread.com/watch-out-for-this-vulnerability-in-vlc-mplayer/ (October 20th, 2018)
          https://talosintelligence.com/vulnerability_reports/TALOS-2018-0684
          https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4013

          T 1 Reply Last reply Reply Quote 0
          • T Offline
            Tom VulnDetect Team Member @Anselm
            last edited by

            @Anselm Thank you

            /Tom
            Download the latest SecTeer VulnDetect agent here:
            https://vulndetect.com/dl/secteerSetup.exe

            1 Reply Last reply Reply Quote 0
            • G Offline
              GregAlexandre
              last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • G Offline
                GregAlexandre
                last edited by

                Hi Tom,

                When I launched VLC I got a message that a new version was available and fixing security issues. I patched, reported and did not look for anything else: as you pinpointed they are quite good for security and providing information.

                I remember that I was a bit surprised to have miss this in security bulletins that I receive: it seems that I was not so bad.☺

                I am not alone with this: https://portableapps.com/news/2018-09-01--vlc-media-player-portable-3.0.4-released

                I also found that (https://www.wilderssecurity.com/threads/vlc-3-0-vetinari-released.400558/page-3😞

                "The changelog for 3.0.4 doesn't mention security fixes specifically, but the release notes in the built-in updater do:
                VideoLAN and the VLC development team present VLC 3.0 "Vetinari".
                VLC 3.0.4 is a minor update to VLC 3.0 branch, fixes numerous hardware decoding issues, adds support for AV1 streams and fixes security issues. It also improves the support for numerous formats, and regressions in video quality compared to 2.2.x, in certain cases.""

                I am quite sure that I read this somewhere as I was surprised they let regressions and that I had (have) no idea of what is an "AV1 stream".

                Hope this helps.
                Regards.
                Greg.

                1 Reply Last reply Reply Quote 0
                • A Offline
                  Anselm
                  last edited by Anselm

                  Maybe a copy paste error?

                  https://portableapps.com/news/2018-09-01--vlc-media-player-portable-3.0.4-released (This version fixes a critical security issue in VLC.)
                  https://portableapps.com/news/2018-05-31--vlc-media-player-portable-3.0.3-released ( This version fixes a critical security issue in VLC.)
                  https://portableapps.com/news/2018-05-06--vlc-media-player-portable-3.0.2-released (This version fixes a critical security issue in VLC. )
                  https://portableapps.com/news/2018-03-21--vlc-media-player-portable-3.0.1-released (This version fixes a critical security issue in VLC.)

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    Tom VulnDetect Team Member
                    last edited by

                    Unless some more tangible report comes out, then we will keep flagging 3.0.2, 3.0.3 and 3.0.4 as "OK", with 3.0.4 being the recommended version.

                    But thank you for reporting this, in this time and age you can't just rely on vendors to report all issues, so when you see reports elsewhere, then please post here or send me a chat message and we will investigate.

                    /Tom
                    Download the latest SecTeer VulnDetect agent here:
                    https://vulndetect.com/dl/secteerSetup.exe

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      Anselm @Tom
                      last edited by

                      FYI:
                      Common Vulnerabilities and Exposures (CVE):

                      https://www.cvedetails.com/version-list/5842/9978/1/Videolan-Vlc-Media-Player.html

                      https://www.cvedetails.com/product/9978/Videolan-Vlc-Media-Player.html?vendor_id=5842

                      https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=VLC

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        Tom VulnDetect Team Member
                        last edited by

                        😄

                        Thank you.

                        Yeah, well, as we discussed that, it seems that a guy has found a vuln in 3.0.4.

                        So it is time to flag all versions as being "Insecure" 😞

                        Let's hope a new release of VLC comes out one of the next days.

                        CVE Details is a great site for getting some high level information about the history of a product.

                        However, CVE itself, has seen better days, unfortunately a lot of vulns are assigned CVEs rather late and a lot never receives a CVE.

                        Just look at yesterdays Chrome release, where some of the vulns are "To be allocated [a CVE]". That seems odd for such a significant app as Chrome:
                        https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html

                        /Tom
                        Download the latest SecTeer VulnDetect agent here:
                        https://vulndetect.com/dl/secteerSetup.exe

                        1 Reply Last reply Reply Quote 0
                        • OLLI_SO Offline
                          OLLI_S Community Moderator
                          last edited by

                          Tom, is the issue solved (after you flagged all versions as being "Insecure")?

                          1 Reply Last reply Reply Quote 0
                          • A Offline
                            Anselm
                            last edited by

                            @Tom says, 3.0.2, 3.0.3, 3.0.4 are not insecure, but 3.0.4 is recommended . I only found an information, that 3.0.1 is insecure.

                            T 1 Reply Last reply Reply Quote 0
                            • T Offline
                              Tom VulnDetect Team Member @Anselm
                              last edited by

                              @Anselm See this:
                              https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19857

                              /Tom
                              Download the latest SecTeer VulnDetect agent here:
                              https://vulndetect.com/dl/secteerSetup.exe

                              A 1 Reply Last reply Reply Quote 1
                              • A Offline
                                Anselm @Tom
                                last edited by

                                @Tom OK, i did not see it at cve.mitre.org using the search.

                                A 1 Reply Last reply Reply Quote 0
                                • A Offline
                                  Anselm @Anselm
                                  last edited by

                                  @Anselm Correction: OK, i did not see it yesterday at cve.mitre.org using the search. But now i knew why:
                                  Date Entry Created
                                  20181205

                                  T 1 Reply Last reply Reply Quote 0
                                  • T Offline
                                    Tom VulnDetect Team Member @Anselm
                                    last edited by

                                    @Anselm VLC 3.0.5 is out

                                    /Tom
                                    Download the latest SecTeer VulnDetect agent here:
                                    https://vulndetect.com/dl/secteerSetup.exe

                                    A G 2 Replies Last reply Reply Quote 0
                                    • A Offline
                                      Anselm @Tom
                                      last edited by

                                      @Tom Thank you, I updated it yesterday 😉

                                      1 Reply Last reply Reply Quote 0
                                      • G Offline
                                        GregAlexandre @Tom
                                        last edited by

                                        @Tom
                                        From changelog 3.0.4 to 3.0.5
                                        "Update numerous 3rd party libraries, including for minor security issues"

                                        This subject could be close.

                                        Thanks a lot Tom.

                                        1 Reply Last reply Reply Quote 0
                                        • OLLI_SO Offline
                                          OLLI_S Community Moderator
                                          last edited by

                                          @GregAlexandre OK, then I mark the topic as Solved

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Download SecTeer Personal VulnDetect - an alternative to the long lost Secunia PSI

                                          Please see our Privacy and Data Processing Policy
                                          Sponsored and operated by SecTeer | VulnDetect is a replacement for the EoL Secunia PSI
                                          Forum software by NodeBB