SUSE 5183 Published by

A vlc security update has been released for openSUSE Leap 15.1.



security-announce: openSUSE-SU-2020:0545-1: moderate: Security update for vlc


openSUSE Security Update: Security update for vlc
______________________________________________________________________________

Announcement ID: openSUSE-SU-2020:0545-1
Rating: moderate
References: #1142161 #1146428
Cross-References: CVE-2019-13602 CVE-2019-13962 CVE-2019-14437
CVE-2019-14438 CVE-2019-14498 CVE-2019-14533
CVE-2019-14534 CVE-2019-14535 CVE-2019-14776
CVE-2019-14777 CVE-2019-14778 CVE-2019-14970

Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes 12 vulnerabilities is now available.

Description:

This update for vlc fixes the following issues:

vlc was updated to version 3.0.9.2:

+ Misc: Properly bump the version in configure.ac.

Changes from version 3.0.9.1:

+ Misc: Fix VLSub returning 401 for earch request.

Changes from version 3.0.9:

+ Core: Work around busy looping when playing an invalid item through VLM.
+ Access:
* Multiple dvdread and dvdnav crashs fixes
* Fixed DVD glitches on clip change
* Fixed dvdread commands/data sequence inversion in some cases causing
unwanted glitches
* Better handling of authored as corrupted DVD
* Added libsmb2 support for SMB2/3 shares
+ Demux:
* Fix TTML entities not passed to decoder
* Fixed some WebVTT styling tags being not applied
* Misc raw H264/HEVC frame rate fixes
* Fix adaptive regression on TS format change (mostly HLS)
* Fixed MP4 regression with twos/sowt PCM audio
* Fixed some MP4 raw quicktime and ms-PCM audio
* Fixed MP4 interlacing handling
* Multiple adaptive stack (DASH/HLS/Smooth) fixes
* Enabled Live seeking for HLS
* Fixed seeking in some cases for HLS
* Improved Live playback for Smooth and DASH
* Fixed adaptive unwanted end of stream in some cases
* Faster adaptive start and new buffering control options
+ Packetizers:
* Fixes H264/HEVC incomplete draining in some cases
* packetizer_helper: Fix potential trailing junk on last packet
* Added missing drain in packetizers that was causing missing last frame
or audio
* Improved check to prevent fLAC synchronization drops
+ Decoder:
* avcodec: revector video decoder to fix incomplete drain
* spudec: implemented palette updates, fixing missing subtitles
on some DVD
* Fixed WebVTT CSS styling not being applied on Windows/macOS
* Fixed Hebrew teletext pages support in zvbi
* Fixed Dav1d aborting decoding on corrupted picture
* Extract and display of all CEA708 subtitles
* Update libfaad to 2.9.1
* Add DXVA support for VP9 Profile 2 (10 bits)
* Mediacodec aspect ratio with Amazon devices
+ Audio output:
* Added support for iOS audiounit audio above 48KHz
* Added support for amem audio up to 384KHz
+ Video output:
* Fix for opengl glitches in some drivers
* Fix GMA950 opengl support on macOS
* YUV to RGB StretchRect fixes with NVIDIA drivers
* Use libpacebo new tone mapping desaturation algorithm
+ Text renderer:
* Fix crashes on macOS with SSA/ASS subtitles containing emoji
* Fixed unwanted growing background in Freetype rendering and Y padding
+ Mux: Fixed some YUV mappings
+ Service Discovery: Update libmicrodns to 0.1.2.
+ Misc:
* Update YouTube, SoundCloud and Vocaroo scripts: this restores playback
of YouTube URLs.
* Add missing .wpl & .zpl file associations on Windows
* Improved chromecast audio quality

Update to version 3.0.8 'vetinari':

+ Fix stuttering for low framerate videos
+ Improve adaptive streaming
+ Improve audio output for external audio devices on macOS/iOS
+ Fix hardware acceleration with Direct3D11 for some AMD drivers
+ Fix WebVTT subtitles rendering
+ Vetinari is a major release changing a lot in the media engine of VLC.
It is one of the largest release we've ever done. Notably, it:
- activates hardware decoding on all platforms, of H.264 & H.265, 8 &
10bits, allowing 4K60 or even 8K decoding with little CPU consumption,
- merges all the code from the mobile ports into the same codebase with
common numbering and releases,
- supports 360 video and 3D audio, and prepares for VR content,
- supports direct HDR and HDR tone-mapping,
- updates the audio passthrough for HD Audio codecs,
- allows browsing of local network drives like SMB, FTP, SFTP, NFS...
- stores the passwords securely,
- brings a new subtitle rendering engine, supporting ComplexTextLayout
and font fallback to support multiple languages and fonts,
- supports ChromeCast with the new renderer framework,
- adds support for numerous new formats and codecs, including WebVTT,
AV1, TTML, HQX, 708, Cineform, and many more,
- improves Bluray support with Java menus, aka BD-J,
- updates the macOS interface with major cleaning and improvements,
- support HiDPI UI on Windows, with the switch to Qt5,
- prepares the experimental support for Wayland on Linux, and switches
to OpenGL by default on Linux.
+ Security fixes included:
* Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
* Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
* Fix a read buffer overflow in the FAAD decoder
* Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437,
CVE-2019-14438)
* Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
* Fix a use after free in the MKV demuxer (CVE-2019-14777,
CVE-2019-14778)
* Fix a use after free in the ASF demuxer (CVE-2019-14533)
* Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
* Fix a null dereference in the dvdnav demuxer
* Fix a null dereference in the ASF demuxer (CVE-2019-14534)
* Fix a null dereference in the AVI demuxer
* Fix a division by zero in the CAF demuxer (CVE-2019-14498)
* Fix a division by zero in the ASF demuxer (CVE-2019-14535)
- Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet
available.

- Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around
some image loading libraries (libpng, libjpeg, ...) which are either
wrapped by vlc itself (libpng_plugin.so) or via libavcodec
(libavcodec_plugin.so).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-545=1


Package List:

- openSUSE Leap 15.1 (noarch):

vlc-lang-3.0.9.2-lp151.6.6.1

- openSUSE Leap 15.1 (x86_64):

libvlc5-3.0.9.2-lp151.6.6.1
libvlc5-debuginfo-3.0.9.2-lp151.6.6.1
libvlccore9-3.0.9.2-lp151.6.6.1
libvlccore9-debuginfo-3.0.9.2-lp151.6.6.1
vlc-3.0.9.2-lp151.6.6.1
vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1
vlc-codec-gstreamer-debuginfo-3.0.9.2-lp151.6.6.1
vlc-debuginfo-3.0.9.2-lp151.6.6.1
vlc-debugsource-3.0.9.2-lp151.6.6.1
vlc-devel-3.0.9.2-lp151.6.6.1
vlc-jack-3.0.9.2-lp151.6.6.1
vlc-jack-debuginfo-3.0.9.2-lp151.6.6.1
vlc-noX-3.0.9.2-lp151.6.6.1
vlc-noX-debuginfo-3.0.9.2-lp151.6.6.1
vlc-opencv-3.0.9.2-lp151.6.6.1
vlc-opencv-debuginfo-3.0.9.2-lp151.6.6.1
vlc-qt-3.0.9.2-lp151.6.6.1
vlc-qt-debuginfo-3.0.9.2-lp151.6.6.1
vlc-vdpau-3.0.9.2-lp151.6.6.1
vlc-vdpau-debuginfo-3.0.9.2-lp151.6.6.1

References:

  https://www.suse.com/security/cve/CVE-2019-13602.html
  https://www.suse.com/security/cve/CVE-2019-13962.html
  https://www.suse.com/security/cve/CVE-2019-14437.html
  https://www.suse.com/security/cve/CVE-2019-14438.html
  https://www.suse.com/security/cve/CVE-2019-14498.html
  https://www.suse.com/security/cve/CVE-2019-14533.html
  https://www.suse.com/security/cve/CVE-2019-14534.html
  https://www.suse.com/security/cve/CVE-2019-14535.html
  https://www.suse.com/security/cve/CVE-2019-14776.html
  https://www.suse.com/security/cve/CVE-2019-14777.html
  https://www.suse.com/security/cve/CVE-2019-14778.html
  https://www.suse.com/security/cve/CVE-2019-14970.html
  https://bugzilla.suse.com/1142161
  https://bugzilla.suse.com/1146428