openSUSE Security Update: Security update for vlc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1651-1 Rating: important References: #973354 #984382 Cross-References: CVE-2016-3941 CVE-2016-5108 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for vlc to version 2.1.6 fixes the following issues: These CVE were fixed: - CVE-2016-5108: Reject invalid QuickTime IMA files (boo#984382). - CVE-2016-3941: Heap overflow in processing wav files (boo#973354). These security issues without were fixed: - Fix heap overflow in decomp stream filter. - Fix buffer overflow in updater. - Fix potential buffer overflow in schroedinger encoder. - Fix null-pointer dereference in DMO decoder. - Fix buffer overflow in parsing of string boxes in mp4 demuxer. - Fix SRTP integer overflow. - Fix potential crash in zip access. - Fix read overflow in Ogg demuxer. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-755=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): libvlc5-2.1.6-2.10.1 libvlc5-debuginfo-2.1.6-2.10.1 libvlccore7-2.1.6-2.10.1 libvlccore7-debuginfo-2.1.6-2.10.1 vlc-2.1.6-2.10.1 vlc-debuginfo-2.1.6-2.10.1 vlc-debugsource-2.1.6-2.10.1 vlc-devel-2.1.6-2.10.1 vlc-gnome-2.1.6-2.10.1 vlc-gnome-debuginfo-2.1.6-2.10.1 vlc-noX-2.1.6-2.10.1 vlc-noX-debuginfo-2.1.6-2.10.1 vlc-qt-2.1.6-2.10.1 vlc-qt-debuginfo-2.1.6-2.10.1 - openSUSE 13.2 (noarch): vlc-noX-lang-2.1.6-2.10.1 References: https://www.suse.com/security/cve/CVE-2016-3941.html https://www.suse.com/security/cve/CVE-2016-5108.html https://bugzilla.suse.com/973354 https://bugzilla.suse.com/984382 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org