VLC Media Player 3.0.7 was released on Friday and contained the most security updates ever in one release of the program. The president of the VideoLan non-profit organization states that this was due to their inclusion in the EU-FOSSA bug bounty program.

Last year, the European Commission announced that they were expanding their Free and Open Source Software Audit (FOSSA) project to support bug bounty programs for free and open source programs that they use.

As VLC Media Player is one of the products used by the EU Commission, it was added to a bug bounty program at HackerOne where they are sponsored by EU-FOSSA.

Jean-Baptiste Kempf, the President of VideoLan and one of the lead developers of the VLC Media Player, says that VLC 3.0.7 has the most security fixes than any other version of their program

"We just released VLC 3.0.7, a minor update of VLC branch 3.0.x," Kempf stated in a blog post. "This release is a bit special, because it has more security issues fixed than any other version of VLC."

As VideoLan is a non-profit organization offering free software, being able to afford a bug bounty program that can attract security experts is not an easy task.

When BleepingComputer asked Kempf why they had not had a bug bounty previously, he told us that was "no money for that."

Being sponsored, though, by EU-FOSSA who will pay up to €60,000 in bounties for reported VLC vulnerabilities appears to have created a much greater for security researchers to analyze the program.

"This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program."

In addition, Kempf told us that the EU-FOSS sponsorship program provided more "manpower" towards finding and fixing security bugs.

Due to the large amount of security updates in this release, it strongly advised that all VLC users update to the latest version. Users can do this by going to Help -> Check for Updates or by downloading the new version from their website.

Security updates in VLC 3.0.7

According to Baptist there were a total of 33 vulnerabilities fixed in this release, with 2 being high security issues, 21 being medium, and 20 being low.

Of the two high security vulnerabilities, one was a out-of-bound write in the the faad2 library, which a dependency of VLC, and the other was a stack buffer overflow in the RIST Module of VLC 4.0.

The best reporter of vulnerabilities via their bug bounty program was ele7enxxh who reported 13 bug for a total of $13,265.02 in paid bounties.

The complete list of security fixes can be found below.

Security: * Fix multiple buffer overflows in the ps demuxer * Fix a buffer overflow when copying a biplanar YUV image * Fix multiple buffer overflows in the faad decoder * Fix buffer overflow in the svcdsub decoder * Fix buffer overflows in the ogg muxer & demuxer * Fix buffer overflows in libavformat demuxer * Fix multiple buffer overflows in the MKV demuxer * Fix a buffer overflow in the MP4 demuxer * Fix a buffer overflow in the textst decoder * Fix a buffer overflow in the webvtt decoder * Fix a buffer overflow in the ASF demux * Fix a buffer overflow in the UPNP SD * Fix use after free in the ogg demuxer * Fix multiple use after free in the MKV demuxer * Fix multiple use after free in the DMO decoder * Fix integer underflow in the MKV demuxer * Fix an updater NULL pointer dereference on invalid signing keys * Fix NULL pointer dereference in the MKV demuxer * Fix an integer overflow in the spudec decoder * Fix an integer overflow in the nsc demuxer * Fix an integer overflow in the avi demuxer * Fix reads of uninitialized pointers in the MKV demuxer * Fix a floating point exception in the MKV demuxer * Fix an infinite loop in the flac packetizer

The complete change log can be found here.

Updated 6/10/19 with comments from Jean-Baptiste Kempf, the President of VideoLan and one of the lead developers of the VLC Media Player.