SUSE 5180 Published by

The following two updates has been released for openSUSE:

openSUSE-SU-2019:1062-1: important: Security update for chromium
openSUSE-SU-2019:1066-1: Security update for ffmpeg-4



openSUSE-SU-2019:1062-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1062-1
Rating: important
References: #1129059
Cross-References: CVE-2019-5787 CVE-2019-5788 CVE-2019-5789
CVE-2019-5790 CVE-2019-5791 CVE-2019-5792
CVE-2019-5793 CVE-2019-5794 CVE-2019-5795
CVE-2019-5796 CVE-2019-5797 CVE-2019-5798
CVE-2019-5799 CVE-2019-5800 CVE-2019-5801
CVE-2019-5802 CVE-2019-5803 CVE-2019-5804

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes 18 vulnerabilities is now available.

Description:

This update for chromium to version 73.0.3683.75 fixes the following
issues:

Security issues fixed (bsc#1129059):

- CVE-2019-5787: Fixed a use after free in Canvas.
- CVE-2019-5788: Fixed a use after free in FileAPI.
- CVE-2019-5789: Fixed a use after free in WebMIDI.
- CVE-2019-5790: Fixed a heap buffer overflow in V8.
- CVE-2019-5791: Fixed a type confusion in V8.
- CVE-2019-5792: Fixed an integer overflow in PDFium.
- CVE-2019-5793: Fixed excessive permissions for private API in Extensions.
- CVE-2019-5794: Fixed security UI spoofing.
- CVE-2019-5795: Fixed an integer overflow in PDFium.
- CVE-2019-5796: Fixed a race condition in Extensions.
- CVE-2019-5797: Fixed a race condition in DOMStorage.
- CVE-2019-5798: Fixed an out of bounds read in Skia.
- CVE-2019-5799: Fixed a CSP bypass with blob URL.
- CVE-2019-5800: Fixed a CSP bypass with blob URL.
- CVE-2019-5801: Fixed an incorrect Omnibox display on iOS.
- CVE-2019-5802: Fixed security UI spoofing.
- CVE-2019-5803: Fixed a CSP bypass with Javascript URLs'.
- CVE-2019-5804: Fixed a command line injection on Windows.

Release notes:
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-des
ktop_12.html


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1062=1



Package List:

- openSUSE Leap 15.0 (x86_64):

chromedriver-73.0.3683.75-lp150.206.1
chromedriver-debuginfo-73.0.3683.75-lp150.206.1
chromium-73.0.3683.75-lp150.206.1
chromium-debuginfo-73.0.3683.75-lp150.206.1
chromium-debugsource-73.0.3683.75-lp150.206.1


References:

https://www.suse.com/security/cve/CVE-2019-5787.html
https://www.suse.com/security/cve/CVE-2019-5788.html
https://www.suse.com/security/cve/CVE-2019-5789.html
https://www.suse.com/security/cve/CVE-2019-5790.html
https://www.suse.com/security/cve/CVE-2019-5791.html
https://www.suse.com/security/cve/CVE-2019-5792.html
https://www.suse.com/security/cve/CVE-2019-5793.html
https://www.suse.com/security/cve/CVE-2019-5794.html
https://www.suse.com/security/cve/CVE-2019-5795.html
https://www.suse.com/security/cve/CVE-2019-5796.html
https://www.suse.com/security/cve/CVE-2019-5797.html
https://www.suse.com/security/cve/CVE-2019-5798.html
https://www.suse.com/security/cve/CVE-2019-5799.html
https://www.suse.com/security/cve/CVE-2019-5800.html
https://www.suse.com/security/cve/CVE-2019-5801.html
https://www.suse.com/security/cve/CVE-2019-5802.html
https://www.suse.com/security/cve/CVE-2019-5803.html
https://www.suse.com/security/cve/CVE-2019-5804.html
https://bugzilla.suse.com/1129059

--


openSUSE-SU-2019:1066-1: Security update for ffmpeg-4

openSUSE Security Update: Security update for ffmpeg-4
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1066-1
Rating: low
References: #1092241 #1100348 #1105869
Cross-References: CVE-2018-13300 CVE-2018-15822
Affected Products:
openSUSE Backports SLE-15
______________________________________________________________________________

An update that solves two vulnerabilities and has one
errata is now available.

Description:

This update for ffmpeg-4 to version 4.0.2 fixes the following issues:

These security issues were fixed:

- CVE-2018-15822: The flv_write_packet function did not check for an empty
audio packet, leading to an assertion failure and DoS (bsc#1105869).
- CVE-2018-13300: An improper argument passed to the avpriv_request_sample
function may have triggered an out-of-array read while converting a
crafted AVI file to MPEG4, leading to a denial of service and possibly
an information disclosure (bsc#1100348).

These non-security issues were fixed:

- Enable webvtt encoders and decoders (boo#1092241).
- Build codec2 encoder and decoder, add libcodec2 to enable_decoders and
enable_encoders.
- Enable mpeg 1 and 2 encoders.

This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15:

zypper in -t patch openSUSE-2019-1066=1



Package List:

- openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

ffmpeg-4-libavcodec-devel-4.0.2-bp150.21.1
ffmpeg-4-libavdevice-devel-4.0.2-bp150.21.1
ffmpeg-4-libavfilter-devel-4.0.2-bp150.21.1
ffmpeg-4-libavformat-devel-4.0.2-bp150.21.1
ffmpeg-4-libavresample-devel-4.0.2-bp150.21.1
ffmpeg-4-libavutil-devel-4.0.2-bp150.21.1
ffmpeg-4-libpostproc-devel-4.0.2-bp150.21.1
ffmpeg-4-libswresample-devel-4.0.2-bp150.21.1
ffmpeg-4-libswscale-devel-4.0.2-bp150.21.1
ffmpeg-4-private-devel-4.0.2-bp150.21.1
libavcodec58-4.0.2-bp150.21.1
libavdevice58-4.0.2-bp150.21.1
libavfilter7-4.0.2-bp150.21.1
libavformat58-4.0.2-bp150.21.1
libavresample4-4.0.2-bp150.21.1
libavutil56-4.0.2-bp150.21.1
libpostproc55-4.0.2-bp150.21.1
libswresample3-4.0.2-bp150.21.1
libswscale5-4.0.2-bp150.21.1

- openSUSE Backports SLE-15 (aarch64_ilp32):

libavcodec58-64bit-4.0.2-bp150.21.1
libavdevice58-64bit-4.0.2-bp150.21.1
libavfilter7-64bit-4.0.2-bp150.21.1
libavformat58-64bit-4.0.2-bp150.21.1
libavresample4-64bit-4.0.2-bp150.21.1
libavutil56-64bit-4.0.2-bp150.21.1
libpostproc55-64bit-4.0.2-bp150.21.1
libswresample3-64bit-4.0.2-bp150.21.1
libswscale5-64bit-4.0.2-bp150.21.1


References:

https://www.suse.com/security/cve/CVE-2018-13300.html
https://www.suse.com/security/cve/CVE-2018-15822.html
https://bugzilla.suse.com/1092241
https://bugzilla.suse.com/1100348
https://bugzilla.suse.com/1105869

--