VLC 3.0.7 and security

7 June 2019

Severity

According to our scale, we have had 33 valid security issues fixed thanks to this program:

  • 2 high security issues, (only one was present in 3.0.x),
  • 21 medium security issues,
  • 10 low security issues.

The 2 more important issues are an Out-of-Bound Write and a Stack Buffer Overflow.

the Out-of-Bound Write is not in the VLC codebase, but in a dependency of VLC, the faad2 library, unmaintained, unfortunately.

the Stack Buffer Overflow is a VLC 4.0-only issue in the new RIST module, and is therefore not impacting actual release of VLC.

The medium security issues are mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. Those issues should not be exploitable with ASLR, but are important anyway, because they can crash VLC.

The low security issues are mostly integer overflow, division by zero, and other out-of-band reads with no actual impact. Those issues are not exploitable.

The best hacker on the program was https://hackerone.com/ele7enxxh.

Opinion about bug bounties

What follows is my personal opinion about those bug bounties programs, and is not VideoLAN’s point-of-view.

Usefulness

If you’ve listened to some of my talks or spoke to me (I’m sorry for you), you know I’m a bit critic of those programs, because they give money to find the issues, not to fix them.

What about you give money to VLC instead of random hackers?

Well, security is important, so this is cool for our users, but still this is a mixed bag, for me.

So, in order to mitigate that, we gave large extra-bonuses for fixes provided at the same time as issues were found, to improve this problem.

Hackers

During this program, we’ve had a lot of different hackers, from the best to the worst technically: so many script-kiddies, and people telling us that the VLC source code was visible… but also people who had deep understanding of C, of the stack and of memory issues.

But I would like to focus a bit more on the type of reporter we’ve seen.

We’ve had people ranging from the usual security-asshole to some of the nicest guys ever, who cared deeply to help us. And when working with the nicest people, they often send patches to fix too.

At the opposite, some reporters were more than distasteful, insulting, impatient, trying to get 2 times the bounty for the same bug, or even reporting the issues to other programs (Android one) to get more money.

The result of that, is that when you don’t know how much to award for a security issue (is it medium or low?), you decide on the niceness of the reporter :)

Thanks

In the end, I’d like to thank the European Commission, Julia Reda, the nice hackers and the people from the team who fixed all those bugs!

Jean-Baptiste Kempf

Comments

  1. On 5 May 5050, 2:33 by Double-Free RCE in VLC. A honggfuzz how-to – Cyber Security

    Double-Free RCE in VLC. A honggfuzz how-to – Cyber Security

    (…) The above vulnerability was fixed with the release of VLC 3.0.7 based on the following commit: http://git.videolan.org/?p=vlc.git;a=commit;h=81023659c7de5ac2637b4a879195efef50846102. (…)

  2. On 11 May 11110, 8:32 by Bug bounty drives VLCs biggest patch but attracts a-holes,

    Bug bounty drives VLCs biggest patch but attracts a-holes,

    (…) That security-focused release is a good result for VLC users and, according to Jean-Baptiste Kempf, a lead developer of VLC and president of VideoLAN, which is responsible for VLC development, it was (…)

  3. On 10 May 10100, 9:11 by Rajesh Krishnan

    I’m curious what you thought was a “good” fix. We can always ask for more of that to be included in our vulnerability reports. Always trying to make a better crowdsourced security product, including the remediation guidance and patch verification features!

  4. On 10 May 10100, 9:02 by In January, The EU Starts Running Bug Bounties On Free And

    In January, The EU Starts Running Bug Bounties On Free And

    (…) VLC 3.0.7 release and EU-FOSSA We just released VLC 3.0.7, a minor update of VLC branch 3.0.x. This release is a bit special, because it has more security issues fixed than any other (…)

  5. On 10 May 10100, 9:49 by VLC получил самое большое обновление безопасности за всю

    VLC получил самое большое обновление безопасности за всю

    (…) Глава VideoLan и один из ведущих разработчиков VLC Media Player Жан-Батист Кемпф (Jean-Baptiste Kempf) рассказал, что благодаря работе исследователей и выплатам FOSSA релиз VLC 3.0.7 получился (…)

  6. On 10 May 10100, 12:42 by jose

    no offense but i don’t think this blog has anything to do with issue reporting/fixing. you may want to file the bug where appropriate (tracker?)

  7. On 8 May 8080, 8:03 by ahmet sahin simsek

    hi

    I downloaded thé new version and I have a problème withe subtitle please can you help me