Last week, the President of the VideoLan non-profit organization, Jean-Baptiste Kempf, released the VLC 3.0.7, a minor update of VLC branch 3.0.x. This release is termed as ‘special’ by Kempf, as it has more security issues fixed than any other version of VLC.
Kempf has said that “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program.”
Last year, the European Commission had announced that they will support Bug Hunting for 14 open source projects it uses. As VLC Media Player was one of the products they used, they were sponsored by EU-FOSSA.
In a statement to Bleeping Computers, Kempf has stated that they had “no money”, for having the bug bounty previously. He also added that, the EU-FOSS sponsorship program provided more "manpower" towards funding and fixing security bugs in the VLC 3.0.7.
According to the blogpost, VLC Media Player 3.0.7 have fixed 33 valid security issues, with 2 being high security issues, 21 being medium security issues and 10 being low security issues. Out of the two high security issues, one was an out-of-bound write issue, in the the faad2 library, which is a dependency of VLC and the other is a stack buffer overflow, in the RIST Module of VLC 4.0.
The medium security issues include mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. The low security issues are mostly integer overflow, division by zero, and other out-of-band reads.
Kempf has also mentioned in the blogpost, that the best hacker via their bug bounty program was ele7enxxh. Bleeping Computers reports that ele7enxxh has addressed total of 13 bugs for $13,265.02.
Users are quite happy with this release, due to the huge security fixes and improvements in the VLC 3.0.7 version.
https://twitter.com/evanderburg/status/1136600143707246592
https://twitter.com/alorandi/status/1137603867120734208
The VLC users can download the latest version from the VideoLan website.
VLC’s updating mechanism still uses HTTP over HTTPS
dav1d 0.1.0, the AV1 decoder by VideoLAN, is here
NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems