[vlc-devel] [PATCH] smb: try libdsm first

Thomas Guillem thomas at gllm.fr
Wed Oct 16 20:58:31 CEST 2019



On Wed, Oct 16, 2019, at 20:25, Rémi Denis-Courmont wrote:
> Le keskiviikkona 16. lokakuuta 2019, 13.53.57 EEST Thomas Guillem a écrit :
> > On Wed, Oct 16, 2019, at 12:01, Rémi Denis-Courmont wrote:
> > > Hi,
> > > 
> > > There is already a vulnerability if there is an MITM. The point is that
> > > this patch adds a second vulnerability by using SMB1 even without an
> > > MITM.
> > > 
> > > Downgrading is also going to damage performance that already sucks badly
> > > enough with SMB inputs.
> > > 
> > > And sorry but I do draw a line with backward or bug compatibility hacks.
> > > If they break or damage functionality where the hack would not be needed,
> > > then it's wrong.
> > We had lot of SMB2 issues for quite some time, I never wanted to put libdsm
> > in high priority to quickly fix thoses issues. I did my best to solve lot
> > of libsmb2 issues that was preventing users to access any SMB servers. But
> > the issue I'm now facing is not solvable via libsmb2.
> > 
> > I agree that SMBv1 should never be put in high priority. On the other hand,
> > we got a lot of angry custumers that are insulting us daily because of
> > that.
> 
> With all due respect, I don't think the vlc-devel community does or should 
> care (much) about your employer's customers, angry or not. The day all your 
> customers will agree with the community is ptobably the day that you have no 
> customers left. You are free to deliver an insecure forked version to your 
> angry customers if you want.

Just to clarify, this patch is not for any videolabs customers, I used a wrong word in my first reply. If a videolabs customer want that kind of patches, we just send it to them without pushing it here. This patch is for VLC for Android and iOS users, yes the ones that are insulting us. 


> 
> I don't think official VLC releases should be shipped with a known CVE-worth 
> security vulnerability, or even that we should slow down network preparsing 
> which is already exhibiting enough performance problems as it is.
> 
> > cf. https://aka.ms/stillneedssmb1 sadly, smb1 is still used.
> 
> I don't exactly see how a long list of mostly obscure and/or old stuff is of 
> any much relevance. If anything, that page looks like an thinly veiled effort 
> by Microsoft to shame SMB1 implementors.
> 
> If it's down to what Microsoft writes then:
> https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Stop-using-SMB1/
> ba-p/425858 - it can hardly be more clear. And this was 3 years ago already

Yes I agree with that, but then you have people that hack their windows 10 to disable smb3 and force smb1... 

> 
> > What I'm now proposing: add an option in VLC-Android and VLC-ios to enable
> > SMBv1 compat mode. We will explain in that option that users should not do
> > that and change their SMB servers instead.
> > 
> > Do you agree with that ?
> 
> Yes only because I don't care about those. But if this is enabled by default, 
> you're just moving the problem to another sub-community.

No it won't be enabled by default. I think we need to discurage such bad practice. 


> 
> -- 
> Реми Дёни-Курмон
> http://www.remlab.net/
> 
> 
> 
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel


More information about the vlc-devel mailing list