About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
Thread:
-
Show this thread
-
Replying to @videolan @MITREcorp
So libEBML fixed a vulnerability in 1.3.6, but didn't assign a CVE to it? And as a result, a fully-patched Ubuntu 18.04 system provides a vulnerable 1.3.5 version?
2 replies 1 retweet 23 likes -
Now to be fair, it's not *immediately* obvious that the flaw lies within libEBML, if you're just looking at the crash details itself. I probably wouldn't have known, had
@videolan not mentioned it. Removing the http://libebml.so .4.0.0 file does make the PoC fail to crash.pic.twitter.com/1m7Rf3HKgH
2 replies 0 retweets 7 likes
And for the record, this appears to be the libebml commit that causes the PoC for this case to no longer crash:https://github.com/Matroska-Org/libebml/commit/b66ca475be967547af9a3784e720fbbacd381be6 …
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.