[vlc-devel] [PATCH 00/13] Execute medialib queries out of the UI thread
Pierre Ynard
linkfanel at yahoo.fr
Mon Nov 30 04:30:55 CET 2020
> > Well my experience is that, if I enable the media library, VLC
> > crashes immediately because of some demuxer bug. This is totally
> > unacceptable.
> >
> > The root cause bug is most likely in an underlying library (and
> > possibly failure of Debian to update), caused by a file in one of
> > the standard media directory. Still, for the sake of reliability, it
> > is totally insane and unacceptable that VLC crashes just because of
> > a bug in a demuxer triggered by a file that is neither being played
> > and in a directory that was not explicitly added.
> >
> > If this hits one out of a dozen of devs, how many million users will
> > have VLC crash straight away?
>
> As you know, this is correctly tracked as #25119 whereas this
> patchset tackles #22687. From my experience, this helped
> highlighting a lot of issues in the code with sanitizers, like
> prefetch so it at least served a better purpose for the user,
> and we probably need to have a good report system (at least for
> developers) if moved to a dedicated process. This should be
> discussed on the #25119 though, as it's out of scope here.
Wow you guys are a bit scary. I'm glad that you mention the opportunity
to sanitize code, but I can't help but react on the security concerns
of this. That kind of feature is a staple of remote exploit or worm
scenarios: first desktop UX developers come up with a streamlined
vision, then the web browser or some other application has auto-download
or auto-saving of files, then a media component (VLC here) has
auto-indexing with preparsing, auto-thumbnailing or whatever else,
then all you need is to inject from anywhere a file in some obscure,
little-known and poorly maintained demux or codec format with unpatched
vulnerabilities in that third-party library, and there you go, automated
RCE. This is the kind of story where you get laughed at by security
people.
And using a separate process won't solve that. I sure hope there will be
a first-run dialog message to warn and allow the user to disable this
auto-indexing feature - is there another ticket tracking that?
--
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."
More information about the vlc-devel
mailing list