Fix for the VLC subtitle vulnerability (or lack thereof...)

Support & Help Requests
#1

With VLC being the standard media player in the current LTS release (and unfortunately even a hard dependency of ubuntu-mate-desktop), the following unfixed security issue(s) should be brought to the attention of its users: https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/1693893

Due to Ubuntu’s VLC being community-maintained, this bug is in state “incomplete” with no indication of if/when a fix will be made available.

For now I just removed any VLC files that could be related to subtitles from /usr/lib/vlc/plugins:

  • codec/libcvdsub_plugin.so
  • codec/libdvdsub_plugin.so
  • codec/libsubsdec_plugin.so
  • codec/libsubstx3g_plugin.so
  • codec/libsubusf_plugin.so
  • codec/libvcdsub_plugin.so
  • demux/libsubtitle_plugin.so
  • demux/libvobsub_plugin.so
  • video_filter/libsubdelay_plugin.so
2 Likes
#2

[quote=“maximuscore, post:1, topic:13773”]should be brought to the attention of its users[/quote]Definitely. This has the potential to be quite a serious security risk and mitigating that risk should be a fairly high priority given the very common nature of media players and subtitles.

#3

If I understand correctly it is a vulnerability in the parsing of subtiltles by multiple mediaplayers. They name 4 but there could be more right? I hope I’m safe by using mpv and using srt subtitles.

edit: After watching the video it looks like it is the way those mediaplayers download the subtitle from opensubtitles.org that causes the vulnerability. And the vultnerability is that they can connect to your pc via vnc. So that will be mostly windows pc’s.

1 Like
#4

Indeed. I was about going to correct you :slight_smile:

Anyways, one more thing to consider for those users amongst us that just seem incapable of understanding the idea that they should keep their software interaction to the internet to an absolute minimum. Don’t fall in for the so-called features for your convenience. Want subtitles? Download them frm your browser.

2 Likes
#5

Or use subliminal :slight_smile:

#6

Update: fixes for all supported releases except Trusty have been pushed out at this point.

2 Likes
#7

vlc (2.2.2-5ubuntu0.16.04.3) xenial-security; urgency=high

I wondered what this was all about. Not too many get a urgency=high rating.