Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

The EU Bounty Program enabled in VLC 3.0.7 release, this version fixed the most number of security issues

Save for later
  • 2 min read
  • 11 Jun 2019

article-image

Last week, the President of the VideoLan non-profit organization, Jean-Baptiste Kempf, released the VLC 3.0.7, a minor update of VLC branch 3.0.x. This release is termed as ‘special’ by Kempf, as it has more security issues fixed than any other version of VLC.

Kempf has said that “This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program.”

Last year, the European Commission had announced that they will support Bug Hunting for 14 open source projects it uses. As VLC Media Player was one of the products they used, they were sponsored by EU-FOSSA.

In a statement to Bleeping Computers, Kempf has stated that they had “no money”, for having the bug bounty previously. He also added that, the EU-FOSS sponsorship program provided more "manpower" towards funding and fixing security bugs in the VLC 3.0.7.

According to the blogpost, VLC Media Player 3.0.7 have fixed 33 valid security issues, with 2 being high security issues, 21 being medium security issues and 10 being low security issues. Out of the two high security issues, one was an out-of-bound write issue, in the the faad2 library, which is a dependency of VLC and the other is a stack buffer overflow, in the RIST Module of VLC 4.0.

The medium security issues include mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. The low security issues are mostly integer overflow, division by zero, and other out-of-band reads.

Kempf has also mentioned in the blogpost, that the best hacker via their bug bounty program was ele7enxxh. Bleeping Computers reports that ele7enxxh has addressed total of 13 bugs for $13,265.02.

Users are quite happy with this release, due to the huge security fixes and improvements in the VLC 3.0.7 version.

https://twitter.com/evanderburg/status/1136600143707246592

https://twitter.com/alorandi/status/1137603867120734208

The VLC users can download the latest version from the VideoLan website.


VLC’s updating mechanism still uses HTTP over HTTPS

dav1d 0.1.0, the AV1 decoder by VideoLAN, is here

NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime