A 'CRITICAL' FLAW in VLC Media Player has been downgraded after the VideoLAN claimed the issue was fixed 16 months ago.
The NIST National Vulnerability Database has slashed its rating for CVE-2019-13615 from 9.8 to 5.5 and "is awaiting reanalysis which may result in further changes to the information provided" after VideoLAN, the not-for-profit open-source organisation behind VLC Media Player, complained that the advisories and associated CVEs were wrong.
Taking to Twitter, VideoLAN blamed a reporter for running VLC on an old version of Ubuntu with out-of-date libraries, and security firm MITRE for issuing a CVE before it could examine the reporter's claims.
About the "security issue" on #VLC : VLC is not vulnerable.— VideoLAN (@videolan) 24 July 2019
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
The issue highlighted by the researcher, VideoLAN claims, lies in a third-party library that was fixed more than 16 months ago. "VLC since version 3.0.3 has the correct version shipped and MITRE did not even check their claim," VideoLAN tweeted.
The company went on to explain that the reporter who claimed to have uncovered the problem was running Ubuntu 18.04 - the latest long-term release is 18.04.2 and the most up-to-date version is 19.04 - without all the associated libraries updated. Instead of emailing the company, the reporter filed a bug on the organisation's bug tracker - which is public.
"We could not, of course reproduce the issue, and tried to contact the security researcher, in private," the company added. At the same time, MITRE picked up the bug report and issued a CVE without talking to VideoLAN first.
This, it claimed, not only contravenes MITRE's own policies but is also not the first time that it has done that. "This has been going on for years: almost all CVEs on VLC have completely insane CVSS [severity ratings]," it added.
"Any non-exploitable read overflow gets CVSS of 9.8, like VLC is a server and you could do RCE and compromise the machine, while most of the time, the issue is a crash, often not exploitable, from a local file that the user HAS to open manually. And, of course, they are never corrected."
However, the issue blew up when Germany's Computer Emergency Response Team (CERT-Bund) issued its own advisory without, VideoLAN claimed, even trying to reproduce the flaw or contacting it.
"Would @MITREcorp behave the same way if we were Microsoft or another big company? But, no, we're just a small non-profit, that does not even have the money to pay someone full-time..."
As a result of VideoLAN's justified complaints, the CVE rating was slashed, with the possibility of a further downgrade. µ
Valve must be steaming with embarrassment
Visa jolly good fellow
Comet Lake is making a splash already
Casemaker expects a 'slimmer, lighter' stylus