<     May 2017     >
Su Mo Tu We Th Fr Sa  
    1  2  3  4  5  6  
 7  8  9 10 11 12 13  
14 15 16 17 18 19 20  
21 22 23 24 25 26 27  
28 _2_9 30 31
00:12 jbracey_m joined
00:40 daey joined
00:41 <daey> is mplayer also affected by the subtitle vulnerability?
00:43 <gnarface> no
00:43 jbracey joined
00:44 <gnarface> though there seems to be some anonymous entity trying to spread the misinformation that it is
00:45 <gnarface> what i've heard is that the vulnerability is only in a plugin called opensubtitles that doesn't even support mplayer
00:45 <daey> i was checking the xbmc github to see how they fixed the issue. but there doesnt even seem to be a patch yet :P
00:45 <gnarface> i assume it's a 3rd party plugin and you're looking in the wrong place
00:46 <daey> ah. in that case the fix is probably there
00:46 <daey> yeah
00:46 <gnarface> someone is practicing AAA class disinformation spreading
00:47 <gnarface> the real question is who can profit from unjustly lambasting all the open source video players in this way. after all, it's not as though they don't have enough problems that you couldn't pin something true on them instead.
00:48 <gnarface> also, for whatever it's worth, if you're using a 3rd party subtitle plugin to dynamically download subtitle files, unscrubbed, streamed directly, from pirated sources... and you wanna blame that on your video player, you're in a whole new class of idiot
00:51 <daey> i didnt even know until yesterday xbmc etc. can do that :P i thought they were meant for 'stream things from your local streaming server'
00:52 <gnarface> i think it's a prime example of the danger in mixing highly extensible software with untrained users
00:52 <gnarface> there's a vast difference between what you CAN cram into an input and what you SHOULD cram into an input
00:52 <daey> well its not a worse scenario than web browsers have to face
00:52 <gnarface> ah, but web browsers are specifically designed to be hardened for this type of thing
00:52 <daey> than what web browser have to face*
00:53 <daey> yeah
00:53 <gnarface> sloppy 3rd party subtitle plugins probably were never meant to be exposed to a public network
00:54 <gnarface> there's a lot of similar issues throughout the linux ecosystem where local console and desktop tools don't scrub input properly because nobody expected they'd ever be fed untrusted data in the first place
00:55 <daey> certainly
00:55 <gnarface> less of a security oversight and more of a case of tools being used for purposes they weren't really meant for
00:56 <gnarface> vlc can do streaming host&client stuff too, but i wouldn't expose it to a public data stream unless i was TRYING to get it hacked
00:57 <gnarface> in fact, i'd expect it's riddled with holes too
00:57 <gnarface> so this circles back to the question of "why?"
00:59 <gnarface> for whatever it's worth though, it'd probably be pretty easy to just write a simple perl script that can scrub subtitles and video alike to remove suspicious byte sequences
01:44 jbracey00 joined
02:44 jbracey joined
02:50 chewey joined
03:35 jbracey_m2 joined
03:44 jbracey00 joined
04:22 hfb joined
04:30 day__ joined
04:45 M6HZ joined
04:52 jbracey joined
05:31 jbracey00 joined
06:31 jbracey joined
07:31 jbracey00 joined
08:31 jbracey joined
08:47 McGuyver joined
08:55 kelnoky joined
08:59 ivanich joined
09:18 day__ joined
09:31 jbracey00 joined
09:52 iive joined
09:52 iive joined
10:32 jbracey joined
10:58 ivanich joined
11:03 ivanich_ joined
11:15 ivanich_ joined
11:32 jbracey00 joined
12:30 Mista-D joined
13:00 jbracey joined
13:50 jbracey joined
15:57 kelnoky joined
18:15 iive joined
18:15 iive joined
18:34 krabador joined
20:19 Bircoph joined
20:45 iml_ joined
22:59 debdog joined
23:01 Threads joined
23:01 Threads joined
23:02 Threads joined
23:02 Threads joined
23:04 Threads joined
23:04 Threads joined