SUSE 5185 Published by

A vlc security update has been released for SUSE Linux Enterprise 15 SP5.



openSUSE-SU-2023:0366-1: moderate: Security update for vlc


openSUSE Security Update: Security update for vlc
_______________________________

Announcement ID: openSUSE-SU-2023:0366-1
Rating: moderate
References: #1206142
Cross-References: CVE-2022-37434 CVE-2022-41325 CVE-2023-5217

CVSS scores:
CVE-2022-37434 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-37434 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-41325 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-5217 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-5217 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for vlc fixes the following issues:

Update to version 3.0.20:

+ Video Output:
- Fix green line in fullscreen in D3D11 video output
- Fix crash with some AMD drivers old versions
- Fix events propagation issue when double-clicking with mouse wheel
+ Decoders:
- Fix crash when AV1 hardware decoder fails
+ Interface:
- Fix annoying disappearance of the Windows fullscreen controller
+ Demuxers:
- Fix potential security issue (OOB Write) on MMS:// by checking user
size bounds

Update to version 3.0.19:

+ Core:
- Fix next-frame freezing in most scenarios
+ Demux:
- Support RIFF INFO tags for Wav files
- Fix AVI files with flipped RAW video planes
- Fix duration on short and small Ogg/Opus files
- Fix some HLS/TS streams with ID3 prefix
- Fix some HLS playlist refresh drift
- Fix for GoPro MAX spatial metadata
- Improve FFmpeg-muxed MP4 chapters handling
- Improve playback for QNap-produced AVI files
- Improve playback of some old RealVideo files
- Fix duration probing on some MP4 with missing information
+ Decoders:
- Multiple fixes on AAC handling
- Activate hardware decoding of AV1 on Windows (DxVA)
- Improve AV1 HDR support with software decoding
- Fix some AV1 GBRP streams, AV1 super-resolution streams and monochrome
ones
- Fix black screen on poorly edited MP4 files on Android Mediacodec
- Fix rawvid video in NV12
- Fix several issues on Windows hardware decoding (including "too large
resolution in DxVA")
- Improve crunchyroll-produced SSA rendering
+ Video Output:
- Super Resolution scaling with nVidia and Intel GPUs
- Fix for an issue when cropping on Direct3D9
- Multiple fixes for hardware decoding on D3D11 and OpenGL interop
- Fix an issue when playing -90°rotated video
- Fix subtitles rendering blur on recent macOS
+ Input:
- Improve SMB compatibility with Windows 11 hosts
+ Contribs:
- Update of fluidlite, fixing some MIDI rendering on Windows
- Update of zlib to 1.2.13 (CVE-2022-37434)
- Update of FFmpeg, vpx (CVE-2023-5217), ebml, dav1d, libass
+ Misc:
- Improve muxing timestamps in a few formats (reset to 0)
- Fix some rendering issues on Linux with the fullscreen controller
- Fix GOOM visualization
- Fixes for Youtube playback
- Fix some MPRIS inconsistencies that broke some OS widgets on Linux
- Implement MPRIS TrackList signals
- Fix opening files in read-only mode
- Fix password search using the Kwallet backend
- Fix some crashes on macOS when switching application
- Fix 5.1/7.1 output on macOS and tvOS
- Fix several crashes and bugs in the macOS preferences panel
- Improvements on the threading of the MMDevice audio output on Windows
- Fix a potential security issue on the uninstaller DLLs
- Fix memory leaks when using the media_list_player libVLC APIs
+ Translations:
- Update of most translations
- New translations to Esperanto, Interlingue, Lao, Macedonian, Burmese,
Odia, Samoan and Swahili

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-366=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 ppc64le x86_64):

libvlc5-3.0.20-bp155.2.3.1
libvlccore9-3.0.20-bp155.2.3.1
vlc-3.0.20-bp155.2.3.1
vlc-codec-gstreamer-3.0.20-bp155.2.3.1
vlc-devel-3.0.20-bp155.2.3.1
vlc-jack-3.0.20-bp155.2.3.1
vlc-noX-3.0.20-bp155.2.3.1
vlc-opencv-3.0.20-bp155.2.3.1
vlc-qt-3.0.20-bp155.2.3.1
vlc-vdpau-3.0.20-bp155.2.3.1

- openSUSE Backports SLE-15-SP5 (noarch):

vlc-lang-3.0.20-bp155.2.3.1

References:

https://www.suse.com/security/cve/CVE-2022-37434.html
https://www.suse.com/security/cve/CVE-2022-41325.html
https://www.suse.com/security/cve/CVE-2023-5217.html
https://bugzilla.suse.com/1206142