Main Area and Open Discussion > General Software Discussion

Security vulnerability found in movie subtitle files

<< < (2/3) > >>

mouser:
That is an excellent question!! It's very hard to find details anywhere...

The Kodi page for the latest update says this, which suggests that the subtitlte text file itself is not the culprit:
To be clear this possible vunrability is only present when you first enable a subtitle dowload add-on and then actually download zipped subtitles. Any subtitles that you already have as text file, are embedded in the video stream or are included with you DVD or Blurays are safe.
--- End quote ---

That sounds like the security vulnerability was in the automatic downloading and unpacking of zipped subtitle files by media players.

But I'd really like some confirmation about that.

Another media player change log sheds a little bit of light, but not much:

https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249/

f0dder:
I would have thought UTF-8 subtitles and buffer overruns leading to code execution - specifically mentioning .zip downloads makes me think otherwise.

It could be several different bugs in different players - it could be absolute paths in zip files? - it could be one ore more bugs in one or more common subtitle handling libraries.

Interesting! :)

mouser:
I would have thought UTF-8 subtitles and buffer overruns leading to code execution - specifically mentioning .zip downloads makes me think otherwise.
--- End quote ---

Agreed -- my first assumption was buffer overflow -- i.e. text subtitles designed to be so long as to overwrite memory.  But it looks now like it might be related to special features that these media players provide when downloading subtitle files -- like rendering a web page with info from the subtitle author or another additional files included in a subtitle zip package?

anandcoral:
It boils downs to any "app" which tries to display a "html" from the web is vulnerable to been hijacked. And the author has nothing to do with it.

Generally a program uses "object" in the code which uses some dll to show, say IE window in the program itself. Since the main browser Edge, Firefox extra is not called but a scale down version of an old library, so the vulnerability increases.

Only solution looks like not to use the "in window html display" but call the default browser.

Regards,

Anand

tomos:
this not quite clear to me here:
It boils downs to any "app" which tries to display a "html" from the web is vulnerable to been hijacked. And the author has nothing to do with it.

Generally a program uses "object" in the code which uses some dll to show, say IE window in the program itself. Since the main browser Edge, Firefox extra is not called but a scale down version of an old library, so the vulnerability increases.
-anandcoral (May 29, 2017, 05:41 AM)
--- End quote ---

1) if the App is using the IE engine to show a web or html page, what has Firefox to do with it?

2) what you're saying -- sounds like any PIM's that use IE engine are (currently) risky?

Navigation

[0] Message Index

[#] Next page

[*] Previous page