Daily Archives: July 24, 2019

When vulnerability disclosure goes wrong

4 weeks ago saw the report of a new critical vulnerability in the widely used VideoLAN VLC Media Player. At the time no fix was available.

Earlier today; key developers from VideoLAN analysed the bug report and found that the exploit simply causes a memory leak which does not always crash the player. At no time was this behaviour exploitable by an attacker; it was simply a non-security code issue.

After further analysis it was determined the issue lay within a 3rd party library, libebml. Version 1.3.6 resolves the issue reported and was shipped with VLC version 3.0.3 (in May 2018). The release notes from that time state “Numerous 3rd party libraries updated, fixing security issues”

The above bug report was interesting since numerous technology news websites and even CERTs had incorrectly warned of the vulnerability and that a fix was 60% complete (unknown how that figure was obtained).

It demonstrates how quickly the report of an issue can spread long before anyone has worked on it and verified its legitimacy. After analysis by key VLC developers; there wasn’t an issue at all in updated versions of VLC.

This is really unfair to VideoLAN. They received a lot of negative press for an issue that wasn’t their fault. The truth of the matter is; nobody checked the claims of the person disclosing it before going to the media and the original reporter of the vulnerability disclosed it on a public forum rather than a private disclosure to VideoLAN.

Today demonstrates how NOT to disclose a vulnerability.

Please find the link to the bug report below and the full details provided by VideoLAN on their Twitter account as well further background information:

https://trac.videolan.org/vlc/ticket/22474

https://twitter.com/videolan/status/1153963312981389312

https://portswigger.net/daily-swig/vlc-developer-debunks-reports-of-critical-security-issue-in-open-source-media-player

Thank you.