[vlc-devel] [PATCH] smb: try libdsm first

Rémi Denis-Courmont remi at remlab.net
Wed Oct 16 20:25:29 CEST 2019

Le keskiviikkona 16. lokakuuta 2019, 13.53.57 EEST Thomas Guillem a écrit :
> On Wed, Oct 16, 2019, at 12:01, Rémi Denis-Courmont wrote:
> > Hi,
> > 
> > There is already a vulnerability if there is an MITM. The point is that
> > this patch adds a second vulnerability by using SMB1 even without an
> > MITM.
> > 
> > Downgrading is also going to damage performance that already sucks badly
> > enough with SMB inputs.
> > 
> > And sorry but I do draw a line with backward or bug compatibility hacks.
> > If they break or damage functionality where the hack would not be needed,
> > then it's wrong.
> We had lot of SMB2 issues for quite some time, I never wanted to put libdsm
> in high priority to quickly fix thoses issues. I did my best to solve lot
> of libsmb2 issues that was preventing users to access any SMB servers. But
> the issue I'm now facing is not solvable via libsmb2.
> I agree that SMBv1 should never be put in high priority. On the other hand,
> we got a lot of angry custumers that are insulting us daily because of
> that.

With all due respect, I don't think the vlc-devel community does or should 
care (much) about your employer's customers, angry or not. The day all your 
customers will agree with the community is ptobably the day that you have no 
customers left. You are free to deliver an insecure forked version to your 
angry customers if you want.

I don't think official VLC releases should be shipped with a known CVE-worth 
security vulnerability, or even that we should slow down network preparsing 
which is already exhibiting enough performance problems as it is.

> cf. https://aka.ms/stillneedssmb1 sadly, smb1 is still used.

I don't exactly see how a long list of mostly obscure and/or old stuff is of 
any much relevance. If anything, that page looks like an thinly veiled effort 
by Microsoft to shame SMB1 implementors.

If it's down to what Microsoft writes then:
ba-p/425858 - it can hardly be more clear. And this was 3 years ago already.

> What I'm now proposing: add an option in VLC-Android and VLC-ios to enable
> SMBv1 compat mode. We will explain in that option that users should not do
> that and change their SMB servers instead.
> Do you agree with that ?

Yes only because I don't care about those. But if this is enabled by default, 
you're just moving the problem to another sub-community.

Реми Дёни-Курмон

More information about the vlc-devel mailing list