openSUSE Security Update: Security update for vlc
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:0545-1
Rating:             moderate
References:         #1142161 #1146428 
Cross-References:   CVE-2019-13602 CVE-2019-13962 CVE-2019-14437
                    CVE-2019-14438 CVE-2019-14498 CVE-2019-14533
                    CVE-2019-14534 CVE-2019-14535 CVE-2019-14776
                    CVE-2019-14777 CVE-2019-14778 CVE-2019-14970
                   
Affected Products:
                    openSUSE Leap 15.1
______________________________________________________________________________

   An update that fixes 12 vulnerabilities is now available.

Description:

   This update for vlc fixes the following issues:

   vlc was updated to version 3.0.9.2:

   + Misc: Properly bump the version in configure.ac.

   Changes from version 3.0.9.1:

   + Misc: Fix VLSub returning 401 for earch request.

   Changes from version 3.0.9:

   + Core: Work around busy looping when playing an invalid item through VLM.
   + Access:
     * Multiple dvdread and dvdnav crashs fixes
     * Fixed DVD glitches on clip change
     * Fixed dvdread commands/data sequence inversion in some cases causing
       unwanted glitches
     * Better handling of authored as corrupted DVD
     * Added libsmb2 support for SMB2/3 shares
   + Demux:
     * Fix TTML entities not passed to decoder
     * Fixed some WebVTT styling tags being not applied
     * Misc raw H264/HEVC frame rate fixes
     * Fix adaptive regression on TS format change (mostly HLS)
     * Fixed MP4 regression with twos/sowt PCM audio
     * Fixed some MP4 raw quicktime and ms-PCM audio
     * Fixed MP4 interlacing handling
     * Multiple adaptive stack (DASH/HLS/Smooth) fixes
     * Enabled Live seeking for HLS
     * Fixed seeking in some cases for HLS
     * Improved Live playback for Smooth and DASH
     * Fixed adaptive unwanted end of stream in some cases
     * Faster adaptive start and new buffering control options
   + Packetizers:
     * Fixes H264/HEVC incomplete draining in some cases
     * packetizer_helper: Fix potential trailing junk on last packet
     * Added missing drain in packetizers that was causing missing last frame
       or audio
     * Improved check to prevent fLAC synchronization drops
   + Decoder:
     * avcodec: revector video decoder to fix incomplete drain
     * spudec: implemented palette updates, fixing missing subtitles
       on some DVD
     * Fixed WebVTT CSS styling not being applied on Windows/macOS
     * Fixed Hebrew teletext pages support in zvbi
     * Fixed Dav1d aborting decoding on corrupted picture
     * Extract and display of all CEA708 subtitles
     * Update libfaad to 2.9.1
     * Add DXVA support for VP9 Profile 2 (10 bits)
     * Mediacodec aspect ratio with Amazon devices
   + Audio output:
     * Added support for iOS audiounit audio above 48KHz
     * Added support for amem audio up to 384KHz
   + Video output:
     * Fix for opengl glitches in some drivers     * Fix GMA950 opengl support on macOS
     * YUV to RGB StretchRect fixes with NVIDIA drivers     * Use libpacebo new tone mapping desaturation algorithm
   + Text renderer:
     * Fix crashes on macOS with SSA/ASS subtitles containing emoji
     * Fixed unwanted growing background in Freetype rendering and Y padding
   + Mux: Fixed some YUV mappings
   + Service Discovery: Update libmicrodns to 0.1.2.
   + Misc:
     * Update YouTube, SoundCloud and Vocaroo scripts: this restores playback
       of YouTube URLs.
     * Add missing .wpl & .zpl file associations on Windows
     * Improved chromecast audio quality

   Update to version 3.0.8 'vetinari':

   + Fix stuttering for low framerate videos
   + Improve adaptive streaming
   + Improve audio output for external audio devices on macOS/iOS
   + Fix hardware acceleration with Direct3D11 for some AMD drivers   + Fix WebVTT subtitles rendering
   + Vetinari is a major release changing a lot in the media engine of VLC.
     It is one of the largest release we've ever done. Notably, it:
      - activates hardware decoding on all platforms, of H.264 & H.265, 8 &
        10bits, allowing 4K60 or even 8K decoding with little CPU consumption,
      - merges all the code from the mobile ports into the same codebase with
        common numbering and releases,
      - supports 360 video and 3D audio, and prepares for VR content,
      - supports direct HDR and HDR tone-mapping,
      - updates the audio passthrough for HD Audio codecs,
      - allows browsing of local network drives like SMB, FTP, SFTP, NFS...
      - stores the passwords securely,
      - brings a new subtitle rendering engine, supporting ComplexTextLayout
        and font fallback to support multiple languages and fonts,
      - supports ChromeCast with the new renderer framework,
      - adds support for numerous new formats and codecs, including WebVTT,
        AV1, TTML, HQX, 708, Cineform, and many more,
      - improves Bluray support with Java menus, aka BD-J,
      - updates the macOS interface with major cleaning and improvements,
      - support HiDPI UI on Windows, with the switch to Qt5,
      - prepares the experimental support for Wayland on Linux, and switches
        to OpenGL by default on Linux.
   + Security fixes included:
     * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
     * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
     * Fix a read buffer overflow in the FAAD decoder
     * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437,
       CVE-2019-14438)
     * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
     * Fix a use after free in the MKV demuxer (CVE-2019-14777,
       CVE-2019-14778)
     * Fix a use after free in the ASF demuxer (CVE-2019-14533)
     * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
     * Fix a null dereference in the dvdnav demuxer
     * Fix a null dereference in the ASF demuxer (CVE-2019-14534)
     * Fix a null dereference in the AVI demuxer
     * Fix a division by zero in the CAF demuxer (CVE-2019-14498)
     * Fix a division by zero in the ASF demuxer (CVE-2019-14535)
   - Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet
     available.

   - Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around
     some image loading libraries (libpng, libjpeg, ...) which are either
     wrapped by vlc itself (libpng_plugin.so) or via libavcodec
     (libavcodec_plugin.so).


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.1:

      zypper in -t patch openSUSE-2020-545=1



Package List:

   - openSUSE Leap 15.1 (noarch):

      vlc-lang-3.0.9.2-lp151.6.6.1

   - openSUSE Leap 15.1 (x86_64):

      libvlc5-3.0.9.2-lp151.6.6.1
      libvlc5-debuginfo-3.0.9.2-lp151.6.6.1
      libvlccore9-3.0.9.2-lp151.6.6.1
      libvlccore9-debuginfo-3.0.9.2-lp151.6.6.1
      vlc-3.0.9.2-lp151.6.6.1
      vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1
      vlc-codec-gstreamer-debuginfo-3.0.9.2-lp151.6.6.1
      vlc-debuginfo-3.0.9.2-lp151.6.6.1
      vlc-debugsource-3.0.9.2-lp151.6.6.1
      vlc-devel-3.0.9.2-lp151.6.6.1
      vlc-jack-3.0.9.2-lp151.6.6.1
      vlc-jack-debuginfo-3.0.9.2-lp151.6.6.1
      vlc-noX-3.0.9.2-lp151.6.6.1
      vlc-noX-debuginfo-3.0.9.2-lp151.6.6.1
      vlc-opencv-3.0.9.2-lp151.6.6.1
      vlc-opencv-debuginfo-3.0.9.2-lp151.6.6.1
      vlc-qt-3.0.9.2-lp151.6.6.1
      vlc-qt-debuginfo-3.0.9.2-lp151.6.6.1
      vlc-vdpau-3.0.9.2-lp151.6.6.1
      vlc-vdpau-debuginfo-3.0.9.2-lp151.6.6.1


References:

   https://www.suse.com/security/cve/CVE-2019-13602.html
   https://www.suse.com/security/cve/CVE-2019-13962.html
   https://www.suse.com/security/cve/CVE-2019-14437.html
   https://www.suse.com/security/cve/CVE-2019-14438.html
   https://www.suse.com/security/cve/CVE-2019-14498.html
   https://www.suse.com/security/cve/CVE-2019-14533.html
   https://www.suse.com/security/cve/CVE-2019-14534.html
   https://www.suse.com/security/cve/CVE-2019-14535.html
   https://www.suse.com/security/cve/CVE-2019-14776.html
   https://www.suse.com/security/cve/CVE-2019-14777.html
   https://www.suse.com/security/cve/CVE-2019-14778.html
   https://www.suse.com/security/cve/CVE-2019-14970.html
   https://bugzilla.suse.com/1142161
   https://bugzilla.suse.com/1146428

--

openSUSE: 2020:0545-1: moderate: vlc

April 23, 2020
An update that fixes 12 vulnerabilities is now available.

Description

This update for vlc fixes the following issues: vlc was updated to version 3.0.9.2: + Misc: Properly bump the version in configure.ac. Changes from version 3.0.9.1: + Misc: Fix VLSub returning 401 for earch request. Changes from version 3.0.9: + Core: Work around busy looping when playing an invalid item through VLM. + Access: * Multiple dvdread and dvdnav crashs fixes * Fixed DVD glitches on clip change * Fixed dvdread commands/data sequence inversion in some cases causing unwanted glitches * Better handling of authored as corrupted DVD * Added libsmb2 support for SMB2/3 shares + Demux: * Fix TTML entities not passed to decoder * Fixed some WebVTT styling tags being not applied * Misc raw H264/HEVC frame rate fixes * Fix adaptive regression on TS format change (mostly HLS) * Fixed MP4 regression with twos/sowt PCM audio * Fixed some MP4 raw quicktime and ms-PCM audio * Fixed MP4 interlacing handling * Multiple adaptive stack (DASH/HLS/Smooth) fixes * Enabled Live seeking for HLS * Fixed seeking in some cases for HLS * Improved Live playback for Smooth and DASH * Fixed adaptive unwanted end of stream in some cases * Faster adaptive start and new buffering control options + Packetizers: * Fixes H264/HEVC incomplete draining in some cases * packetizer_helper: Fix potential trailing junk on last packet * Added missing drain in packetizers that was causing missing last frame or audio * Improved check to prevent fLAC synchronization drops + Decoder: * avcodec: revector video decoder to fix incomplete drain * spudec: implemented palette updates, fixing missing subtitles on some DVD * Fixed WebVTT CSS styling not being applied on Windows/macOS * Fixed Hebrew teletext pages support in zvbi * Fixed Dav1d aborting decoding on corrupted picture * Extract and display of all CEA708 subtitles * Update libfaad to 2.9.1 * Add DXVA support for VP9 Profile 2 (10 bits) * Mediacodec aspect ratio with Amazon devices + Audio output: * Added support for iOS audiounit audio above 48KHz * Added support for amem audio up to 384KHz + Video output: * Fix for opengl glitches in some drivers * Fix GMA950 opengl support on macOS * YUV to RGB StretchRect fixes with NVIDIA drivers * Use libpacebo new tone mapping desaturation algorithm + Text renderer: * Fix crashes on macOS with SSA/ASS subtitles containing emoji * Fixed unwanted growing background in Freetype rendering and Y padding + Mux: Fixed some YUV mappings + Service Discovery: Update libmicrodns to 0.1.2. + Misc: * Update YouTube, SoundCloud and Vocaroo scripts: this restores playback of YouTube URLs. * Add missing .wpl & .zpl file associations on Windows * Improved chromecast audio quality Update to version 3.0.8 'vetinari': + Fix stuttering for low framerate videos + Improve adaptive streaming + Improve audio output for external audio devices on macOS/iOS + Fix hardware acceleration with Direct3D11 for some AMD drivers + Fix WebVTT subtitles rendering + Vetinari is a major release changing a lot in the media engine of VLC. It is one of the largest release we've ever done. Notably, it: - activates hardware decoding on all platforms, of H.264 & H.265, 8 & 10bits, allowing 4K60 or even 8K decoding with little CPU consumption, - merges all the code from the mobile ports into the same codebase with common numbering and releases, - supports 360 video and 3D audio, and prepares for VR content, - supports direct HDR and HDR tone-mapping, - updates the audio passthrough for HD Audio codecs, - allows browsing of local network drives like SMB, FTP, SFTP, NFS... - stores the passwords securely, - brings a new subtitle rendering engine, supporting ComplexTextLayout and font fallback to support multiple languages and fonts, - supports ChromeCast with the new renderer framework, - adds support for numerous new formats and codecs, including WebVTT, AV1, TTML, HQX, 708, Cineform, and many more, - improves Bluray support with Java menus, aka BD-J, - updates the macOS interface with major cleaning and improvements, - support HiDPI UI on Windows, with the switch to Qt5, - prepares the experimental support for Wayland on Linux, and switches to OpenGL by default on Linux. + Security fixes included: * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) * Fix a read buffer overflow in the FAAD decoder * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) * Fix a use after free in the ASF demuxer (CVE-2019-14533) * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) * Fix a null dereference in the dvdnav demuxer * Fix a null dereference in the ASF demuxer (CVE-2019-14534) * Fix a null dereference in the AVI demuxer * Fix a division by zero in the CAF demuxer (CVE-2019-14498) * Fix a division by zero in the ASF demuxer (CVE-2019-14535) - Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet available. - Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around some image loading libraries (libpng, libjpeg, ...) which are either wrapped by vlc itself (libpng_plugin.so) or via libavcodec (libavcodec_plugin.so).

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-545=1


Package List

- openSUSE Leap 15.1 (noarch): vlc-lang-3.0.9.2-lp151.6.6.1 - openSUSE Leap 15.1 (x86_64): libvlc5-3.0.9.2-lp151.6.6.1 libvlc5-debuginfo-3.0.9.2-lp151.6.6.1 libvlccore9-3.0.9.2-lp151.6.6.1 libvlccore9-debuginfo-3.0.9.2-lp151.6.6.1 vlc-3.0.9.2-lp151.6.6.1 vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 vlc-codec-gstreamer-debuginfo-3.0.9.2-lp151.6.6.1 vlc-debuginfo-3.0.9.2-lp151.6.6.1 vlc-debugsource-3.0.9.2-lp151.6.6.1 vlc-devel-3.0.9.2-lp151.6.6.1 vlc-jack-3.0.9.2-lp151.6.6.1 vlc-jack-debuginfo-3.0.9.2-lp151.6.6.1 vlc-noX-3.0.9.2-lp151.6.6.1 vlc-noX-debuginfo-3.0.9.2-lp151.6.6.1 vlc-opencv-3.0.9.2-lp151.6.6.1 vlc-opencv-debuginfo-3.0.9.2-lp151.6.6.1 vlc-qt-3.0.9.2-lp151.6.6.1 vlc-qt-debuginfo-3.0.9.2-lp151.6.6.1 vlc-vdpau-3.0.9.2-lp151.6.6.1 vlc-vdpau-debuginfo-3.0.9.2-lp151.6.6.1


References

https://www.suse.com/security/cve/CVE-2019-13602.html https://www.suse.com/security/cve/CVE-2019-13962.html https://www.suse.com/security/cve/CVE-2019-14437.html https://www.suse.com/security/cve/CVE-2019-14438.html https://www.suse.com/security/cve/CVE-2019-14498.html https://www.suse.com/security/cve/CVE-2019-14533.html https://www.suse.com/security/cve/CVE-2019-14534.html https://www.suse.com/security/cve/CVE-2019-14535.html https://www.suse.com/security/cve/CVE-2019-14776.html https://www.suse.com/security/cve/CVE-2019-14777.html https://www.suse.com/security/cve/CVE-2019-14778.html https://www.suse.com/security/cve/CVE-2019-14970.html https://bugzilla.suse.com/1142161 https://bugzilla.suse.com/1146428--


Severity
Announcement ID: openSUSE-SU-2020:0545-1
Rating: moderate
Affected Products: openSUSE Leap 15.1

Related News

4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved