Secunia and VLC Team got into a hot argument after Secunia set the patch status of their VLC vulnerability report to "UnPatched".
At the end of last year, Secunia team reported a vulnerability(SA51464) in VLC version 2.x. The root cause of the vulnerability lies in the underlying FFmpeg library, which VLC statically links to. It was reported that the vulnerability was caused due to a buffer overflow issue when parsing SWF files, which was incorrect. (as Secunia Reports)
When the VLC team came to know about the issue they tried to fix it but they missed the root cause and didnot solve the core problem. They released the next VLC version and claimed it to be safe but this was not the case as said by Secunia team. The VLC team kept on releasing the version from 2.0.5 to 2.0.7 and claimed that the vulnerability was fixed.
When after the release of version 2.0.6 Secunia team still reported the vulnerability unpatched , VLC approached Secunia and threatened to take legal action, as the Secunia team says- " On May 21st, 2013, the VLC team contacted us after office hours and threatened us with legal action if we did not update Secunia Advisory SA51464 and changed its patch status within 24 hours of sending the email."
Secunia team did not sit down hand in hand even after that. The team says-"We conducted further analysis after we updated our advisory and concluded that the issue is exploitable even in the newly released version 2.0.7. We have therefore updated our advisory and set the patch status of Secunia Advisory SA51464 to unpatched. Any future legal action from the VLC team will be dealt with accordingly. "
Later he vulnerability was fixed in the version 2.1.0. One of the member of VLC commented on REDDIT-"Of course there was a bug! Thanks for reporting. The issue has been properly fixed in 2.1.0. If the backport hasn't been done to 2.0 it's my responsibility, since it was late, I procrastinated it and then it slipped out of my mind due to real life contingencies. For that I apologize to our users and the rest of the team that has to deal with this drama."
Well the vulnerability is reported to be fixed in the version 2.1.0 as reported by the VLC as well as Secunia team but this seemed to be a good session of arguments.
Author: Shalini Bhushan