Vulnerabilities in QNAP, Ffmpeg and VLC

Sep 22, 2009

Daniel Kottmair

The Secunia security firm has found multiple vulnerabilities in the popular ffmpeg multimedia framework that is the basis for most Linux media players.

Numerous cases of heap memory corruption and null pointer dereferences can allow specially prepared media files to execute malicious code on target systems. Secunia confirmed the vulnerability in the popular ffmpeg version 0.5. The advisory also confirms that some of the security holes have been fixed in the SVN repository and the remainder should be closed immediately.

The VideoLAN Client (VLC) project has meanwhile released version 1.0.2, which fixes a number of stack overflow problems in the AVI, MP4 and ASF demuxers that also allowed specially prepared media files to execute malicious code. Affected were all VideoLAN versions back to 0.5.0, so that the update is recommended for all users. VLC also uses the ffmpeg framework, although it's not clear whether the vulnerabilities correspond to those reported by Secunia. The descriptions are nonetheless very similar.

Even QNAP, the popular maker of NAS hard disks, faces some security issues. As is reported, a secondary key is added to the hard disk encryption and stored in flash memory with insufficient obfuscation, thus enabling an attacker physical or network access to unlock and reproduce the hard disk contents. Especially precarious for a product calling itself secure storage is the presence of what by all appearances is a back door with a weakly protected and nonsensical key. QNAP was informed of the problem and promises a firmware update fix in October.

DevOps

Reinvent your network with DevOps tools and techniques:

AWS Automation Documents
Jekyll – A DIY HTML Engine
Automated Jenkins CI
Auditing Docker Containers in a DevOps Environment
Cloud Orchestration with Chef
Become a certified DevOps professional with the new Linux Professional Institute DevOps Tools Engineer certification."

News

Red Hat Enterprise Linux 7.5 Released

Community , Red Hat , Red Hat Linux

The latest release is focused on hybrid cloud.
Microsoft Releases a Linux-Based OS

Community , Kernel

The company is building a new IoT environment powered by Linux.
Solomon Hykes Leaves Docker

In a surprise move, Solomon Hykes, the creator of Docker has left the company.
Red Hat Celebrates 25th Anniversary with a New Code Portal

The company announces a GitHub page with links to source code for all its projects
Gnome 3.28 Released

Community , Gnome

The latest GNOME rolls out with better contact management and new features for handling virtual machines.
Install Firefox in a Snap on Linux

Community , Linux , Mozilla Foundation

Mozilla has picked the Snap package system to deliver its application to Linux users.
OpenStack Queens Released

OpenStack

The new release comes with new features for mission critical workloads.
Kali Linux Comes to Windows

Linux

The Kali Linux developers even managed to run full blown XFCE desktop via WSL.
Ubuntu to Start Collecting Some Data with Ubuntu 18.04

It will be an ‘opt-out’ feature.
CNCF Illuminates Serverless Vision

The Cloud Native Computing Foundation announces a paper describing their model for a serverless ecosystem.