[kyriakos]

Most probably these are tools commonly used by EU institutions which have records of bugs have causing them problems. The solution is to help fix those bugs by offering money. You are right though, I can't see how VLC can be as mission critical as Kafka.

[jdietrich]

Most police forces use VLC to view CCTV recordings and other multimedia evidence. It's an entirely logical choice of software, but it presents an obvious risk in the current climate. I would imagine that many intelligence services use VLC for similar purposes.

A nation-state adversary with a VLC RCE 0day could do some serious damage; if they also have an 0day for a popular model of CCTV DVR, they've got the keys to the kingdom. Those DVRs will never get patched and a nation-state adversary could dream up all sorts of ways to induce a police officer or an intelligence agent to play a media file, but at least we can harden VLC.

[noir_lord]

That is an interesting thought.

I'd never considered that an excellent media playback program would be a vector for nation state and entities with nation state capabilities.

[progval]

> which have records of bugs have causing them problems

even glibc?

> I can't see how VLC can be as mission critical as Kafka.

VLC can run on public screens

[CJefferson]

A friend of mine spent last Christmas debugging an issue in memcpy in glibc (on Intel 32-bit CPUs). Glibc is less well tested than I expected, and has ASM implementations of many functions for many CPUs, some of which are (obviously) less well supported than others.

[int0x80]

IA32 is probably not getting all the focus from devs and users this days, still surprising whoever... Do you have a link to the issue, out of curiosity?

[CJefferson]

https://github.com/fingolfin/memmove-bug

[int0x80]

Wow thats scary indeed... They where using x86 signed compare instead of unsigned (jg vs ja)... Thanks for the link btw!