[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Rémi Denis-Courmont remi at remlab.net
Wed Mar 29 22:25:39 CEST 2017

Le keskiviikkona 29. maaliskuuta 2017, 22.04.49 EEST Jean-Baptiste Kempf a 
écrit :
> Hello,
> On Wed, 29 Mar 2017, at 21:44, Rémi Denis-Courmont wrote:
> > Filip and I objected to dynamically loading DLL - the patch at the top of
> > this thread - because it adds complexity ("onion") and fixes literally
> > nothing as far as VLC is concerned.
> I disagree.

I don´t see what there is to agree or disagree with, except alternative facts 

The only difference this makes is whether a DLL in the installation directory 
can replace the Windows DLL. This is a _not_ a VLC security issue.

If the user actually put a DLL in the installation directory, s/he wants to 
use VLC with it. You just made that never used feature impossible.
If a DLL is there that the user does not intend to use, then that´s either a 
user error or an operating system problem. And regardless, the patch does not 
solve the problem of unintended DLL loading.

This patch is totally wrong. Indeed, two weeks on, nobody has been able to 
provide a threat model that would make this a security vulnerability. There 
exists no such model. And if there were one, we would be very screwed becayse 
the patch would not fix the vulnerability, as noted already.

Anybody who would hypothetically claim that this is a VLC security issue is 
either clueless or lying.


More information about the vlc-devel mailing list