We just released VLC 3.0.7, a minor update of VLC branch 3.0.x. This release is a bit special, because it has more security issues fixed than any other version of VLC.
This high number of security issues is due to the sponsoring of a bug bounty program funded by the European Commission, during the FOSSA program.
Severity
According to our scale, we have had 33 valid security issues fixed thanks to this program:
- 2 high security issues, (only one was present in 3.0.x),
- 21 medium security issues,
- 20 low security issues.
The 2 more important issues are an Out-of-Bound Write and a Stack Buffer Overflow.
the Out-of-Bound Write is not in the VLC codebase, but in a dependency of VLC, the faad2 library, unmaintained, unfortunately.
the Stack Buffer Overflow is a VLC 4.0-only issue in the new RIST module, and is therefore not impacting actual release of VLC.
The medium security issues are mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues. Those issues should not be exploitable with ASLR, but are important anyway, because they can crash VLC.
The low security issues are mostly integer overflow, division by zero, and other out-of-band reads with no actual impact. Those issues are not exploitable.
