[vlc-devel] FYI: Serious bug in old LIVE555 library versions - affecting VLC

Rémi Denis-Courmont remi at remlab.net
Wed Nov 27 15:21:34 CET 2013

On Wed, 27 Nov 2013 03:35:36 -1000, Ross Finlayson <finlayson at live555.com>
>> upgrading live555 to the newest version will include a lot of other
>> changes, too
> You say that like it's a bad thing :-)

It _is_ a bad thing for more than one reason.

- The VLC contrib system includes a secure hash of every source tarball.
This ensures that an attacker cannot replace the source code silently in a
subsequent build, and that the download was not corrupted. If you silently
change or remove the tarball, it fails.
- The library interface sometimes changes. The VLC source code cannot
magically auto-update itself; it needs to be built with a compatible
version of live555. This is even more true for the older VLC releases.
- Not all new releases are better than the older ones. Regressions do
happen. Sticking to a known good version is a feature, not a bug. (And many
new features require VLC source code changes to leverage them.)
- Some downstream distributions have strict rules on security or critical
updates. By policy, they cannot accept bulk updates.

Rémi Denis-Courmont
Sent from my collocated server

More information about the vlc-devel mailing list