[vlc-devel] vlc: svn commit r24342 (funman)
rdenis at simphalempin.com
Thu Jan 17 17:21:13 CET 2008
Le Thursday 17 January 2008 15:50:05 Rafaël Carré, vous avez écrit :
> > > But they know already, since they control VLC, no ?
> > access the CD drive, but for some reason, I doubt it.
> My point is since a webpage launched the vlc instance, it can play
> whatever it wants.
I still fail to see why it should be able to direct CDDB requests anywhere.
Playing anything is not the same thing as knowing anything about what you're
> > Should the thing be allowed to store large files anywhere (as in, on
> > any partition, inside any directory)? Plus having a restrictive
> > filename does not mean the problem is not there, won't be published
> > on bugtraq, and won't give VLC its (deserved) reputation as one of
> > the least secure media player.
> I just didn't consider this feature harmful. What I checked is that it
> wouldn't be able to overwrite system files.
With this kind of thinking, we'd never fix security issues involving temporary
file and/or symbolic links.
> Again, since the items played by VLC are controlled by the webpage
> running the plugin instance, I didn't consider changing the
> certificates used to authentify the item played was harmful.
Never mind it breaks the whole TLS security.
> > Thank you so much for ensuring that VLC gets kicked out of every
> > open-source operating system distributions.
> The trunk is public, so everyone can check the different commits before
> it gets released.
And how does that solve my concern? Distributions/packagers have more
important and interesting things to do than fix the security issues in VLC.
Packaging less insecure media players for instance.
More information about the vlc-devel