Two severe vulnerabilities in the popular open source multimedia player VLC have recently been corrected. According to experts in web security audit, one is a buffer overflow flaw and the other is an out-of-bond write vulnerability that had been corrected as part of a European Commission-funded bug bounty program.
In January, the European Union, in collaboration with HackerOne, financed 14 vulnerability bounty programs, hoping to reinforce the security of open source projects used by the institutions of the member countries.
Web security audit specialists say that further details about these security flaws and their possible forms of exploitation are still unknown; so far, it has only been revealed that the version of the media player impacted is VLC 3.0.7, in addition to the code linked to the version 4.0 of VLC, next to be released.
Experts point out that the out-of-bond writing vulnerability is not in VLC’s base code, but in the Faad2 library, a dependency of VLC that has stopped receiving support. On the other hand, the buffer overflow vulnerability is found in the code in version 4.0 of the tool, and relates to the Reliable Internet Stream Transport (RIST) module of the player; for now, only the beta version of VLC version 4.0 is available.
In addition to critical security flaws, 21 medium and 20 low-risk security vulnerabilities were corrected. Most moderate-risk vulnerabilities are out-of-band read errors, stack overflows, post-release use security issues, and more. “In specific scenarios these errors could interrupt the correct functioning of VLC “, the experts in web security audits added.
Specialists from the International Institute of Cyber Security (IICS) point out that most security errors were reported by a HackerOne user identified as “Ele7enxxh”, who received a bounty of about $13k USD.
Experts mention that VLC updates do not contain significant changes beyond error fixes, although they urge users to install them as soon as possible to mitigate any risk of exploitation.