The funny thing is that the rebuttal is not even denying the claims by Secunia. He is reiterating multiple times "But the PoC didn't work anymore!" while this is something the Secunia post explicitly admits (while saying that the fix that broke the PoC just did make it harded to exploit the ffmpeg-issue, not impossible). Feels like a lot of emotion involved in this one, and a little bit too much shouting "Lies! Lies! Lies!" again and again for my taste.
Oh, the response looks as bad as the blog post by Secunia. Well that's rather disappointing. I don't know much about security, but claiming an exploit is not possible anymore simply because the original implementation doesn't break the program anymore just doesn't seem very convincing. Same goes for calling all statement lies, that the author disagrees with.
Well at least it's not wonder why those 2 groups fail to communicate. Thanks for the update Maxious!
I don't even care who's right about the vulnerability, threatening legal action in a case like this is so beyond the pale that the VLC project has just lost all credibility with me.
Even worse, while attacking Secunia for supposed "lies", they confess to a lie of their own:
> I don't even care who's right about the vulnerability, threatening legal action in a case like this is so beyond the pale
At some point, you need to make them react. And the only way a small open source project can get an answer from a big company is usually threat to attack their wallet.
Sure, it might have been not the best thing to say, but I don't know how else we can make them react on the various issues that have been going on for years with Secunia.
Aside from the fact that it was socially unacceptable, do you realize you could have exposed yourself to legal attack?
I don't know what rules are typical in Europe for declaratory judgement actions, but in the US, Secunia would have basis for filing against you to have their speech declared non-defamatory.
If you don't have a lawyer to do it for you, don't threaten legal action.
Publishing private emails is probably illegal too (it is in Germany, in France and Italy)... And claiming a POC is 'arbitrary execution' when it is not... We go that road for a long time, you know...
I would prefer spending my free time working on VLC (which I do usually) than having to deal with those things... Especially since we still have no vulnerability POC...
> Publishing private emails is probably illegal too (it is in Germany, in France and Italy)...
It is not illegal in Denmark, if one of the participants publishes it. Similarly, it is not illegal to record a conversation in Denmark without acknowledgement from the other participants, if one of the participants is the one recording it.
> Publishing private emails is probably illegal too
I don't claim to know the law on this in those countries, though Svip says it's not illegal in Denmark (Secunia's jurisdiction).
Letter of the law aside, are court records not public in your jurisdiction? In the US, that email would have been promptly entered into evidence without redaction. In that light, posting it now makes no practical difference. You'd already dishonestly informed them you were commencing suit in 24 hours.
> I would prefer spending my free time working on VLC
Then do so. And if you really feel the VLC project needs to respond to Secunia in any way, have someone else do it. You're not very good at it.
A grep of your git log indicates at least 7 developers with >100 commits in recent history. I'd hope there's a decent chance at least one of them is better at crisis management and general PR. Certainly collectively you could have done better than the rushed (and at times nearly incomprehensible) statements you've been making.
It's sad that your reaction to reasoned advice is to lash out with snark rather than simply to appreciate that you've been given a playbook for dealing with both current and future issues of this kind. The first play, by the way, being "stop lashing out".
That screenshots doesn't really prove anything. I mean....i can't even tell is it's the latest vlc version.
Anyway....interesting debate about statically linked libraries. Seems like the original vulnerability was in ffmpeg (vlc statically links to it). So in this case what should/can videolan do ?
One can argue that for a user it doesn't matter if it's ffmpeg, VLC or something else that's buggy. A user is installing VLC, has probably no knowledge of what ffmpeg is, and it's the use of VLC that exposes the user to the security bug.
As such, it's VLC responsibility to not ship a product that may harm a user's computer, even if the error is not in their code.
Videolan should fix the bug. Secunia should report the bug to ffmpeg. If the bug's fixed by a later version of ffmpeg then great, use a later version. If it's not, fix the bug, wait for ffmpeg to have a fixed update and off you go.
To give you a similar example, have a look at this post about the impact of vulnerabilities in third party libraries on commercial forensic products[1].
I would suspect that expert witnesses relying on this could have a case argued against them in court regarding the integrity of the application data and their processes if they're not prepared.
> Seems like the original vulnerability was in ffmpeg (vlc statically links to it). So in this case what should/can videolan do ?
I responded to the question. But to answer yours:
> Which one are you referring to?
Specifically the ffmpeg bug that Secunia reported that you claimed to fix, which wasn't quite correctly fixed, when you decided to go and stir up drama on the Internet and threaten Secunia with lawyers you don't have and can't afford.
That one.
And that it's fixed now is irrelevant. You made a dick move by threatening legal action without having anything to back it up and it's cost you a lot of goodwill no doubt by stirring it up.
You're missing a couple steps in your timeline, specifically that the bug was fixed before Secunia's public disclosure, then Secunia ignored said fix, then claimed it wasn't fixed but provided no proof, then ignored VLC for months while claiming them to be uncooperative. Only then do they stir up this drama in a final attempt to get Secunia to either back up their claims or acknowledge their mistakes.
I realized what you meant after I posted that comment, so I deleted it (but obviously not before you replied). However we do disagree on the meaning of "exploit". If a file causes an application to crash, I consider that an exploit. It may not be arbitrary code execution, but it is exploitation of a denial of service vulnerability.
A denial-of-service vulnerability really ought to be something an attacker can force or plausibly trick you into doing, in such a way that you can actually be denied service. Calling "a file that, when opened, crashes the application" a vulnerability dilutes the term into uselessness. Even if someone somehow forces you to open the file, you don't lose VLC. You just lose this instance of VLC. You double-click on VLC again, and boom, up it comes, ready to go. That's an awfully low grade of "denial".
Just because you assume that VLC is going to be used as a desktop application and that exploitation would require opening a file by hand, doesn't mean that matches every use case.
VLC has broadcasting, relaying, stream processing capabilities, all scriptable. I have done POC transcoding and broadcast applications that required VLC. In these cases, a denial of service might be serious. Also, a use after free may involve other vulnerabilities that require more effort to exploit, but the onus is not on the reporter to iterate every possibility, it is on the developers to fix the bug.
This really sounds like an argument over triage of bugs for VLC (and perhaps some bad internal communications practices), and the VLC devs don't seem to understand that nobody cares about their internal process, just about getting the bugs fixed.
Don't get me wrong, I am not saying that is a good idea (I decided against it), but that the scope of this bug is much larger than just a desktop "Don't open that file then" kind of bug.
I'm not assuming anything. In fact my post has nothing to do with VLC, really. I'm challenging the idea that a crashing bug in a desktop app is a "denial of service". That's not a useful use of the term. If you want to talk about a different type of bug, go ahead... and you will be talking about a different kind of bug, so my comment won't apply to your new bug.
You completely missed the point. VLC is not just a desktop app. It's scriptable so it can be run on a headless server. Open Office is a desktop application but it's also a library that can be scripted against.
If I'm not really talking about VLC, how can I be missing the point?
I'm making the point I'm making. I have no obligation to be making the point you think I'm making, or you think I should make. You feel free to make others.
I don't really care if you call it a lie or not. I care that you attempted to invoke the legal system over a dispute regarding a vulnerability. I also care that you, by your own admission, lied.
Even if it were indisputably clear that Secunia did, in fact, knowingly lie about the vulnerability, I would still hold you in infinitely greater contempt for that sickening display of hypocrisy.
What would you do in VLC place? Ignore Secunia? Use the public megaphone and try to out-yell Secunia using twitter/media/blogs? Driver over to their HQ?
I total agree that invoking the legal system is a large step that shouldn't be invoked in vain, but I don't see many other options VLC team had here other than just ignoring Secunia.
A calm, thorough, carefully-proofread writeup free of legal threats and temper-tantrums sent to Secunia, and posted to FD, the VideoLAN development list, and the VideoLAN website, explaining VideoLAN's position. Direct future inquiries on the subject that don't proffer new information to that response.
Anything else is a gross overreaction to a garden-variety disagreement or misunderstanding.
As far as I knew VLC is an open-source project. It completely replaced any other media players I used as it worked great and was free. I believed they finally made a great open-source media player. Now they're threatening to sue some company. What the hell, where do they even get the resources? And why do they need to sue anyone anyway? I'm not sure I like VLC as much anymore...
As it is an open source project, and they obviously have some internal communications issues at VLC, it is likely that you would get a different response and opinion about this depending on who at VLC you talked to. They don't have a traditional legal/PR/management structure, so they're naturally going to be more chaotic when dealing with things.
This isn't necessarily a bad thing, they're probably more resilient as well due to that loosely coupled structure, it just means that sometimes you get inconsistent communications, sometimes about important topics. It would be a mistake to think that VLC has some underlying dislike of vulnerability reports or an aversion to fixing known bugs, and I would be really surprised if counsel has been retained (or has vetted) this 'plan' to sue.
Well maybe VLC did something wrong or not. How can we say that simply from that article. The only things I can see for sure are (A) that Secunia failed to communicate their issues to VLC and (B) that Secunia seems to consider their own policies as god given laws which all other companies must abide to as well. Both points don't seem all too convincing.
Because we receive a LOT of emails, from PSI users and from clueless users telling us that our software is insecure. This is a lot of support load and takes quite a bit of time.
Comments on rebuttal ask "why don't they provide you with working exploit? (in example EIP = 0x41414141)"
So someone claims they did attaching an example mkv file? http://seclists.org/fulldisclosure/2013/Jul/71 https://twitter.com/coolkaveh/status/354716804783943680