[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL
Rémi Denis-Courmont
remi at remlab.net
Wed Mar 29 22:25:39 CEST 2017
Le keskiviikkona 29. maaliskuuta 2017, 22.04.49 EEST Jean-Baptiste Kempf a
écrit :
> Hello,
>
> On Wed, 29 Mar 2017, at 21:44, Rémi Denis-Courmont wrote:
> > Filip and I objected to dynamically loading DLL - the patch at the top of
> > this thread - because it adds complexity ("onion") and fixes literally
> > nothing as far as VLC is concerned.
>
> I disagree.
I don´t see what there is to agree or disagree with, except alternative facts
here.
The only difference this makes is whether a DLL in the installation directory
can replace the Windows DLL. This is a _not_ a VLC security issue.
If the user actually put a DLL in the installation directory, s/he wants to
use VLC with it. You just made that never used feature impossible.
If a DLL is there that the user does not intend to use, then that´s either a
user error or an operating system problem. And regardless, the patch does not
solve the problem of unintended DLL loading.
This patch is totally wrong. Indeed, two weeks on, nobody has been able to
provide a threat model that would make this a security vulnerability. There
exists no such model. And if there were one, we would be very screwed becayse
the patch would not fix the vulnerability, as noted already.
Anybody who would hypothetically claim that this is a VLC security issue is
either clueless or lying.
--
雷米‧德尼-库尔蒙
https://www.remlab.net/
More information about the vlc-devel
mailing list