Earlier this month, VideoLAN – the maintainers of the world’s most popular open source media player, VLC – issued the biggest single set of security fixes in the program’s history.
Numbering 33 in all, this included two marked critical, 21 mediums and 10 rated low, bringing VLC to 3.0.7.
But perhaps the most interesting part of the story is less the flaws themselves but the process through which they were found.
The most serious flaws
The first of the criticals, CVE-2019-12874, discovered and documented in detail by Symeon Paraschoudis of Pen Test Partners, is an out-of-bounds write flaw in the FAAD2 MPEG-4 and MPEG-2 AAC decoder library used by VLC 3.0.6 and earlier.
The second is CVE-2019-5439, a stack buffer overflow in version 4.0.0 beta’s Reliable Internet Stream Transport (RIST), potentially allowing remote code execution (RCE) at the user’s privilege level, if a the user can be persuaded to run a malicious AVI or MKV video file.
The mediums, meanwhile, are described by VideoLAN’s Jean-Baptiste Kempf as “mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues,” which could crash VLC.
The number of vulnerabilities serves to remind of the complexity of media players, which must support numerous file formats, Codecs, and text renderers, any one of which can open security holes. However, according to Kempf, the number of fixes this time was directly connected to the bug bounty sponsorship offered under the EU-FOSSA 2 program, which rewards hackers for finding critical flaws in open source software used by EU institutions.
By the standards of proprietary programs, this is pretty modest – only $220,000 had been scheduled for payment via the Intigrity/Deloitte and HackerOne platforms as of April 2019 – but this is still a step up for open source reporting, which normally relies on researchers looking for kudos alone.
But providing fixes for open source flaws doesn’t solve the question of who will create the fix, which is why EU-FOSSA 2 offers a 20% bonus to researchers who take the time to do that.
Interestingly, Kempf admits he’s not a fan of bug bounties on the basis that they incentivise researchers to find flaws but not the fixes for the flaws. As he writes:
What about you give money to VLC instead of random hackers?
Not all of the “hackers” who send VideoLAN news of security weaknesses are helpful either:
Some reporters were more than distasteful, insulting, impatient, trying to get 2 times the bounty for the same bug, or even reporting the issues to other programs (Android one) to get more money.
As explained by VideoLAN’s alert, anyone running 3.0.6 and earlier should update to 3.0.7 as soon as possible, refraining from opening files from untrusted third parties until they do. VLC doesn’t update automatically but does have notification (Tools > Preferences > Privacy & Network Interaction > Activate Update Notifier) that is enabled to check for new versions every three days by default.