Vulnerabilities in QNAP, Ffmpeg and VLC
The Secunia security firm has found multiple vulnerabilities in the popular ffmpeg multimedia framework that is the basis for most Linux media players.
Numerous cases of heap memory corruption and null pointer dereferences can allow specially prepared media files to execute malicious code on target systems. Secunia confirmed the vulnerability in the popular ffmpeg version 0.5. The advisory also confirms that some of the security holes have been fixed in the SVN repository and the remainder should be closed immediately.
The VideoLAN Client (VLC) project has meanwhile released version 1.0.2, which fixes a number of stack overflow problems in the AVI, MP4 and ASF demuxers that also allowed specially prepared media files to execute malicious code. Affected were all VideoLAN versions back to 0.5.0, so that the update is recommended for all users. VLC also uses the ffmpeg framework, although it's not clear whether the vulnerabilities correspond to those reported by Secunia. The descriptions are nonetheless very similar.
Even QNAP, the popular maker of NAS hard disks, faces some security issues. As is reported, a secondary key is added to the hard disk encryption and stored in flash memory with insufficient obfuscation, thus enabling an attacker physical or network access to unlock and reproduce the hard disk contents. Especially precarious for a product calling itself secure storage is the presence of what by all appearances is a back door with a weakly protected and nonsensical key. QNAP was informed of the problem and promises a firmware update fix in October.
Issue 202/2017
Buy this issue as a PDF
News
-
LibreOffice 5.4 Released
Comes with improved support for Microsoft Office file formats.
-
Red Hat to Drop Support for Btrfs
The company is building their own storage solution called Stratis.
-
Reinvent your network with DevOps tools and techniques:
Opportunities and Risks: Containers for DevOps
Automated Builds Using CentOS 7 and Kickstart
Elasticsearch, Logstash, and Kibana – The ELK stack
Are you ready for DevOps? Try your luck with the beta version of Linux Professional Institute's new DevOps exam.
-
Kolab Now Integrates Collabora Online
Kolab Now subscribers now have access to Collabora Online.
-
Endless OS, a Distribution Without Internet
A new version of Endless OS has been released.
-
GitHub Announces Open Source Friday Program
They encourage people to take time out and work on open source projects on Friday.
-
System76 Announces Their Own Distro, Pop!_OS
Pop!_OS is based on Ubuntu and uses the Gnome stack.
-
Linus Torvalds Talks About His Motivation
He never tires of working on the Linux kernel.
-
Debian 9 Stretches Its Wings
The new release of Debian has a very strong focus on security.
-
Trojan Turns Raspberry Pi into a Cryptocurrency Mining Device
Two trojans in the wild are targeting Linux machines.