[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Rémi Denis-Courmont remi at remlab.net
Fri Mar 10 18:20:21 CET 2017

Le perjantaina 10. maaliskuuta 2017, 18.03.02 EET Jean-Baptiste Kempf a 
écrit :
> On Fri, 10 Mar 2017, at 17:57, Rémi Denis-Courmont wrote:
> > > Yet, this is using the default KnownDLL list.
> > 
> > But that is the whole point. This is only the _default_.
> Yes, and that fixes the issue for most configurations.
> > Microsoft can extend the list and make this fix redundant. The admin,
> > maybe
> > the user, or an attacker can remove another entry from the list. It is
> > presumptuous to call that a fix if it depends on the default settings to
> > work.
> > It is not a fix in my book. Especially not a for a security
> > vulnerability.
> I'm listening to a fix according to your book.

I did not promise to fix anything. I was not even asked for an opinion before 
the PR was released.

> > There are already rumors that VideoLAN was strong-armed to add or leave
> > open
> > this vulnerability. It will get worse: We have known this issue since at
> > least
> > July of last year, and yet we only fixed it partially at the time.
> If you modify the KnownDLL list, you are root, and your system is
> compromised,
> and we cannot do anything. We cannot fix Windows.

Yes. You can´t fix Windows. So why do you try to work around it being 
supposedly broken still?

> > lastly,
> > the board has issued a PR about how the issue is taken very seriously and
> > will be fixed.
> Where did the _board_ issue any PR?

Are you trolling or are you only trolling?


Since you are trolling, I am ignoring you on this thread and with prejudices.


More information about the vlc-devel mailing list