VideoLan Says VLC is not vulnerable and Safe to UseVijayan Sankar (Author) Published Date : Jul 25, 2019 22:45 IST
Confusion continues with the VLC Media bug without clarity.
Allegations and counter-allegations flew on both sides in the VLC Media Player bug issue till late yesterday.
The confusion was the norm among many on the issue of the VLC bug all day. While VideoLan was busy on Twitter refuting the charges against it, there were still allegations on its bug.
VideoLAN even accused MTRIE Corp of not even checking their claim. Also, the vulnerability of VLC became the point of discussion among the tech-world.
Tech-world divided on the issue of the VLC bug:
While Lifehacker says need not to uninstall VLC Media Player, Gizmodo said it is safe to uninstall it.
PC Gamer says that the VLC bug is fixed. But the bug report filed under CVE-2019-13615 rates the issue as critical, and it is sure to affect the Video Media Player 220.127.116.11 along with its previous versions.
The contentions of VideoLan:
After the three comments from its President yesterday VideoLan took to twitter to answer all queries.
It confirmed that the issue is only by an older version of the third-party library called libebml. libebml library was included in the older versions of Ubuntu.
It also confirmed the researcher of the bug used only the older version of Ubuntu. Also, it was strong in its statement that VLC is not VULNERABLE.
The following are the explanations and queries by VideoLAN:
- The current issue is in the third party library libebml that got fixed 16 months ago
- VLC after the 3.0.3 has shipped the correct version
- MTRIE Corp did not even cross-check the claim
- The bug was reported in the bug tracker which was outside of the report policy
- The reporter is only using an old version of Ubuntu 18.04
- The CVE report was issued without consulting VLC, and it is not the first time it is doing it and going on for years. All CVEs on VLC have been completely insane CVSS.
- Also on the complaint to @usnistgov NSD, there is no help from them and not even support to fix the wrong information.
- The Certbund for reasons only known to them decided to do an advisory without checking the crash or vulnerability, and the least did not even contact us.
All these and more are the explanations that came out from VideoLAN's Twitter handle. VideoLAN.
About the "security issue" on #VLC : VLC is not vulnerable.â€” VideoLAN (@videolan) July 24, 2019
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.