CERT-Bund has issued a critical advisory regarding an alleged persistent vulnerability in all versions of VLC Player from version 18.104.22.168 and older. VLC Player is a very popular cross platform open source media player with versions available in Windows, Linux, MacOS, iOS, Android and Unix. The bug has something to do with buffer over-read, connected with the player’s handling of mkv files. It was recorded under CVE-2019-13615, and described by ESET, a mainstream antimalware vendor, as: “A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files.”
A German website, Heise also even claimed that it goes beyond mkv files, as malformed .mp4 files can also trigger the same bug in VLC Player. The bug is handled in the Videolan.org’s bug tracker page titled: heap-buffer-overflow on demux_sys_t::FreeUnused. The bug report has been filed last Jun 19, 2019, by Marvin Scholz. Apparently the fix has been issued by Hugo Beauzee-Luyssen. “This fixes the meson underscore prefix test, which misbehaves when -g is passed, as it would detect the debug string without underscore first and incorrectly report that no underscore prefix for symbols is used. Fixes build issues with dav1d, which relies on the underscore prefix check,” explained Hugo Beauzee-Luyssen.
However, the VideoLan team who develops VLC Player denied that it is the program’s own fault. It mentioned that a 3rd party library libebml is the one responsible for the critical vulnerability. The organization even highlighted that the libebml library bundled with VLC Player is not vulnerable to any security flaws since VLC version 3.0.3.
“About the ‘security issue’ on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim,” clarified VLC team through its official Twitter handle @videolan.
As far as the VideoLan team is concerned, they are on top of the situation. No actual first-party component of VLC were involved in any critical vulnerability. They also wish that the media should report only legitimate news, and not drag the project to embarrassing stories that they have nothing to do with.
“So, a reporter, opened a bug on our bugtracker, which is outside of the reporting policy, aka, mail us in private on the security alias. Of course, our bugtracker is public. We could not, of course, reproduce the issue, and tried to contact the security researcher, in private. For whatever reason, unknown to us, @MITREcorp decided to issue a CVE, without talking to us. This is in direct violation of their own policies,” conlcuded @videolan.