Vulnerabilities in QNAP, Ffmpeg and VLC
The Secunia security firm has found multiple vulnerabilities in the popular ffmpeg multimedia framework that is the basis for most Linux media players.
Numerous cases of heap memory corruption and null pointer dereferences can allow specially prepared media files to execute malicious code on target systems. Secunia confirmed the vulnerability in the popular ffmpeg version 0.5. The advisory also confirms that some of the security holes have been fixed in the SVN repository and the remainder should be closed immediately.
The VideoLAN Client (VLC) project has meanwhile released version 1.0.2, which fixes a number of stack overflow problems in the AVI, MP4 and ASF demuxers that also allowed specially prepared media files to execute malicious code. Affected were all VideoLAN versions back to 0.5.0, so that the update is recommended for all users. VLC also uses the ffmpeg framework, although it's not clear whether the vulnerabilities correspond to those reported by Secunia. The descriptions are nonetheless very similar.
Even QNAP, the popular maker of NAS hard disks, faces some security issues. As is reported, a secondary key is added to the hard disk encryption and stored in flash memory with insufficient obfuscation, thus enabling an attacker physical or network access to unlock and reproduce the hard disk contents. Especially precarious for a product calling itself secure storage is the presence of what by all appearances is a back door with a weakly protected and nonsensical key. QNAP was informed of the problem and promises a firmware update fix in October.
Issue 191/2016
Buy this issue as a PDF
News
-
Nextcloud Announces Raspberry Pi-Powered Home Cloud Box
Innovative system adds a hard drive and Ubuntu Core to the RPi for an IoT hub.
-
Linus Torvalds Confirms the Date of the First Linux Release
Linux is two weeks younger than we thought!
-
End of OpenOffice?
The Apache Software Foundation considers retiring OpenOffice
-
Adobe Gives New Life to NPAPI Plugin for Linux
Adobe won’t kill the plugin in 2017
-
LinuxCon North America Convenes in Toronto, Canada
Linux Foundation's big event celebrates the 25th anniversary of Linux
-
Linux Turns 25
Linux has evolved from “won’t be a professional” project to one of the most professional software projects in the history of computers.
-
Mirantis Joins Hands with SUSE To Offer RHEL Support; Red Hat Not Happy
Competitors get in the game with RHEL without Red Hat
-
Linux on Windows 10 Poses a Security Risk
Security researchers have already notified Microsoft; some fixes are available
-
Mirantis to Refactor OpenStack Fuel for Kubernetes
The company is collaborating with Google and Intel to use Kubernetes as an engine for Fuel
-
Canonical Joins Document Foundation Advisory Board
The upcoming release of LibreOffice will be available as a snap package