[vlc-devel] Bug#504639: vlc: buffer overflow in CUE support

Rémi Denis-Courmont rdenis at simphalempin.com
Mon Nov 17 04:29:04 CET 2008 

On Thursday 06 November 2008 15:41:21 Nico Golde, you wrote:
> * Rémi Denis-Courmont <rdenis at simphalempin.com> [2008-11-06 14:24]:
> > On Wed, 5 Nov 2008 22:56:52 +0100, Nico Golde <nion at debian.org> wrote:
> > > As you are upstream of vlc, is it possible that you
> > > prenotify us?
> >
> > Like how? I had the notification on Tuesday and the fix on Wednesday...
> > I wouldn't file a public bug before the fix is ready.
> > At least Ubuntu has a private bug support.
>
> We also have, contact team at security.debian.org
> You could at least write a mail with details to vendor-sec at lst.de to get
> a CVE id assigned. This is a private list with most of the
> Linux vendors on it.

As far as I am concerned, vendor-sec at lst.de could be run by some scammers 
looking for zero day as much as OSS systems vendors. Even Google cannot find 
any helpful reference to that.

Thanks but no thanks.

> > > The handling here is pretty suboptimal, if I would have known
> > > this earlier I could have included the fix in the testing-security
> > > version that is just about to be released.
> > >
> > > P.S. I'm sick of all the security issues, I thought wordpress has a lot
> > > :)
> >
> > You don't tell me. Doing one, two, three advisories is fine. But over 20
> > CVEs, I'm totally bored.
>
> Heh
>
> > Unfortunately that's not going to improve. We are becoming a recurrent
> > target now that servers and browsers vulnerabilities are not so easy to
> > find anymore. And VLC runs on Windows and OSX... Our attack surface is
> > huge due to the number of file formats and protocols, the amount of
> > "legacy" code and reverse engineered/poorly documented formats.
> >
> > Once the file formats are run out of obvious problems, they'll switch to
> > codecs. Good news for me, VLC has quite few of them built-in (mostly
> > trivial ones). But I expect lots of fun for ffmpeg/libavcodec
> > maintainers.
>
> Yeah this is really bad. I once had a look at the ffmpeg
> code and there are for sure a bunch of vulnerabilities in
> there which I just didnt follow more in detail because I
> didnt have the time to have a look on how to construct the
> needed media files.

OSS media players are not going to improve their security handling with the 
current trend. Only security "researchers" audit VLC et al. visibly at the 
moment, beyond my own self. And they're obviously trying to maximize not the 
software quality but the number of individual advisories credited to them.

-- 
Rémi Denis-Courmont

More information about the vlc-devel mailing list