Hacked in translation

May 25, 2017

Original news

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.

That’s heavy. An upgraded version is already available for VLC, but what bothers me is the lack of information and the faulty update mechanism. When I launch VLC on my MacBook Pro:

You’re up-to-date!

VLC 2.2.4 is currently the newest version available.

No, I’m not up to date, and no, this is not the newest version available on the VLC website:

Version 2.2.5.1 • Mac OS X • 33 MB

I wish I had a decent package manager like on most GNU/Linux distros.

Debian package vlc

  • jessie (stable) 2.2.5-1~deb8u1
  • stretch (testing) 2.2.5.1-1~deb9u1
  • sid 2.2.5.1-1~deb9u2

As a side note, this does not make VLC risk free on that particular distro as other vulnerabilities remain.

Digging on the VLC webiste, I find no info on the vulnerability exploit and the supposed fix.

Log:

Changes between 2.2.5 and 2.2.5.1:
Security hardening for DLL hijacking environments
Translations updates
Misc: (...)

So I download the source code (you need to follow two links in order to have access to the repository):

$ git clone http://git.videolan.org/git/vlc.git
Cloning into 'vlc'...

Maybe on some branch?

vlc (master)$ git branch -lr
  origin/HEAD -> origin/master
  origin/master

Nope, a single branch, but some tags:

vlc (master)$ git tag -l | grep 2.2
2.2.0-git

Good luck finding when and where and how it was fixed. Reddit gave me pointers to 2 commits but the commenter is not sure at all that they are relevant. Well, I’m note sure what I expected, but I suppose the nasty bug is fixed.