Earlier this month, VideoLAN – the maintainers of the world’s most popular open source media player, VLC – issued the biggest single set of security fixes in the program’s history.
Numbering 33 in all, this included two marked critical, 21 mediums and 10 rated low, bringing VLC to 3.0.7.
But perhaps the most interesting part of the story is less the flaws themselves but the process through which they were found.
The most serious flaws
The first of the criticals, CVE-2019-12874, discovered and documented in detail by Symeon Paraschoudis of Pen Test Partners, is an out-of-bounds write flaw in the FAAD2 MPEG-4 and MPEG-2 AAC decoder library used by VLC 3.0.6 and earlier.
The second is CVE-2019-5439, a stack buffer overflow in version 4.0.0 beta’s Reliable Internet Stream Transport (RIST), potentially allowing remote code execution (RCE) at the user’s privilege level, if a the user can be persuaded to run a malicious AVI or MKV video file.
The mediums, meanwhile, are described by VideoLAN’s Jean-Baptiste Kempf as “mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues,” which could crash VLC.
Bug bounties
The number of vulnerabilities serves to remind of the complexity of media players, which must support numerous file formats, Codecs, and text renderers, any one of which can open security holes. However, according to Kempf, the number of fixes this time was directly connected to the bug bounty sponsorship offered under the EU-FOSSA 2 program, which rewards hackers for finding critical flaws in open source software used by EU institutions.
By the standards of proprietary programs, this is pretty modest – only $220,000 had been scheduled for payment via the Intigrity/Deloitte and HackerOne platforms as of April 2019 – but this is still a step up for open source reporting, which normally relies on researchers looking for kudos alone.
But providing fixes for open source flaws doesn’t solve the question of who will create the fix, which is why EU-FOSSA 2 offers a 20% bonus to researchers who take the time to do that.
Interestingly, Kempf admits he’s not a fan of bug bounties on the basis that they incentivise researchers to find flaws but not the fixes for the flaws. As he writes:
What about you give money to VLC instead of random hackers?
Not all of the “hackers” who send VideoLAN news of security weaknesses are helpful either:
Some reporters were more than distasteful, insulting, impatient, trying to get 2 times the bounty for the same bug, or even reporting the issues to other programs (Android one) to get more money.
As explained by VideoLAN’s alert, anyone running 3.0.6 and earlier should update to 3.0.7 as soon as possible, refraining from opening files from untrusted third parties until they do. VLC doesn’t update automatically but does have notification (Tools > Preferences > Privacy & Network Interaction > Activate Update Notifier) that is enabled to check for new versions every three days by default.
Harrie
I already am running VLC 3.1.6 for Android. So is this old information from Sophos
Paul Ducklin
The Android VLC product has a different version number – it’s higher than the Windows version, don’t know why. (Interestingly, according to VLC’s own website, the current Android download is 3.1.1, not 3.1.6.)
The current Windows series is 3.0.7 (exact point release 3.0.7.1), with the fixes listed in the security advisory in the article. AFAIK, there is no Windows version 3.1.x yet.
Simon
Well I’ll update but if they haven’t fixed the weird intermittent always on top fail I’ll downgrade again and take my chances.
Simon
And they haven’t. It’s still a crapshoot as to whether the player stays on top when I’m trying to do something else at the same time. Dammit. Downgrade time.