VLC 3.0.7 includes more security fixes than ever thanks to the European Commission

Version 3.0.7 of VLC has been released, and while it may seem like a minor x.x.x update, it includes more security fixes than any other previous release -- including two high security issues.

Jean-Baptiste Kemp, the president of VLC-maker VideoLAN, says the number of fixes included in this version is due to the EU-FOSSA bug bounty program, funded by the European Commission.

VideoLAN has reaped the benefits of the European bug bounty program, and the organization -- due to being a no-profit -- has previously said that it was unable to fund such a program of its own. Kemp says that in all there are 33 security fixes in VLC 3.0.7 that were attributable to the FOSSA program. He says that "we've had people ranging from the usual security-asshole to some of the nicest guys ever, who cared deeply to help us".

According to our scale, we have had 33 valid security issues fixed thanks to this program:

• 2 high security issues, (only one was present in 3.0.x),
• 21 medium security issues,
• 10 low security issues.

The 2 more important issues are an Out-of-Bound Write and a Stack Buffer Overflow.

the Out-of-Bound Write is not in the VLC codebase, but in a dependency of VLC, the faad2 library, unmaintained, unfortunately.

the Stack Buffer Overflow is a VLC 4.0-only issue in the new RIST module, and is therefore not impacting actual release of VLC.

The medium security issues are mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. Those issues should not be exploitable with ASLR, but are important anyway, because they can crash VLC.

The low security issues are mostly integer overflow, division by zero, and other out-of-band reads with no actual impact. Those issues are not exploitable.

The best hacker on the program was https://hackerone.com/ele7enxxh.

So... get updating!