openSUSE Security Update: Security update for vlc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0365-1 Rating: moderate References: Cross-References: CVE-2022-37434 CVE-2023-5217 CVSS scores: CVE-2022-37434 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-37434 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-5217 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-5217 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for vlc fixes the following issues: Update to version 3.0.20: + Video Output: - Fix green line in fullscreen in D3D11 video output - Fix crash with some AMD drivers old versions - Fix events propagation issue when double-clicking with mouse wheel + Decoders: - Fix crash when AV1 hardware decoder fails + Interface: - Fix annoying disappearance of the Windows fullscreen controller + Demuxers: - Fix potential security issue (OOB Write) on MMS:// by checking user size bounds Update to version 3.0.19: + Core: - Fix next-frame freezing in most scenarios + Demux: - Support RIFF INFO tags for Wav files - Fix AVI files with flipped RAW video planes - Fix duration on short and small Ogg/Opus files - Fix some HLS/TS streams with ID3 prefix - Fix some HLS playlist refresh drift - Fix for GoPro MAX spatial metadata - Improve FFmpeg-muxed MP4 chapters handling - Improve playback for QNap-produced AVI files - Improve playback of some old RealVideo files - Fix duration probing on some MP4 with missing information + Decoders: - Multiple fixes on AAC handling - Activate hardware decoding of AV1 on Windows (DxVA) - Improve AV1 HDR support with software decoding - Fix some AV1 GBRP streams, AV1 super-resolution streams and monochrome ones - Fix black screen on poorly edited MP4 files on Android Mediacodec - Fix rawvid video in NV12 - Fix several issues on Windows hardware decoding (including "too large resolution in DxVA") - Improve crunchyroll-produced SSA rendering + Video Output: - Super Resolution scaling with nVidia and Intel GPUs - Fix for an issue when cropping on Direct3D9 - Multiple fixes for hardware decoding on D3D11 and OpenGL interop - Fix an issue when playing -90°rotated video - Fix subtitles rendering blur on recent macOS + Input: - Improve SMB compatibility with Windows 11 hosts + Contribs: - Update of fluidlite, fixing some MIDI rendering on Windows - Update of zlib to 1.2.13 (CVE-2022-37434) - Update of FFmpeg, vpx (CVE-2023-5217), ebml, dav1d, libass + Misc: - Improve muxing timestamps in a few formats (reset to 0) - Fix some rendering issues on Linux with the fullscreen controller - Fix GOOM visualization - Fixes for Youtube playback - Fix some MPRIS inconsistencies that broke some OS widgets on Linux - Implement MPRIS TrackList signals - Fix opening files in read-only mode - Fix password search using the Kwallet backend - Fix some crashes on macOS when switching application - Fix 5.1/7.1 output on macOS and tvOS - Fix several crashes and bugs in the macOS preferences panel - Improvements on the threading of the MMDevice audio output on Windows - Fix a potential security issue on the uninstaller DLLs - Fix memory leaks when using the media_list_player libVLC APIs + Translations: - Update of most translations - New translations to Esperanto, Interlingue, Lao, Macedonian, Burmese, Odia, Samoan and Swahili Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-365=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le x86_64): libvlc5-3.0.20-bp154.2.6.1 libvlccore9-3.0.20-bp154.2.6.1 vlc-3.0.20-bp154.2.6.1 vlc-codec-gstreamer-3.0.20-bp154.2.6.1 vlc-devel-3.0.20-bp154.2.6.1 vlc-jack-3.0.20-bp154.2.6.1 vlc-noX-3.0.20-bp154.2.6.1 vlc-opencv-3.0.20-bp154.2.6.1 vlc-qt-3.0.20-bp154.2.6.1 vlc-vdpau-3.0.20-bp154.2.6.1 - openSUSE Backports SLE-15-SP4 (noarch): vlc-lang-3.0.20-bp154.2.6.1 References: https://www.suse.com/security/cve/CVE-2022-37434.html https://www.suse.com/security/cve/CVE-2023-5217.html