openSUSE Security Update: Security update for vlc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:1909-1 Rating: important References: #1093732 #1094893 #1118586 #1133290 #1138354 #1138933 #1141522 #1142161 #1143547 #1143549 Cross-References: CVE-2018-19857 CVE-2019-12874 CVE-2019-13602 CVE-2019-13962 CVE-2019-5439 CVE-2019-5459 CVE-2019-5460 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has three fixes is now available. Description: This update for vlc to version 3.0.7.1 fixes the following issues: Security issues fixed: - CVE-2019-5439: Fixed a buffer overflow (bsc#1138354). - CVE-2019-5459: Fixed an integer underflow (bsc#1143549). - CVE-2019-5460: Fixed a double free (bsc#1143547). - CVE-2019-12874: Fixed a double free in zlib_decompress_extra in modules/demux/mkv/util.cpp (bsc#1138933). - CVE-2019-13602: Fixed an integer underflow in mp4 demuxer (boo#1141522). - CVE-2019-13962: Fixed a heap-based buffer over-read in avcodec (boo#1142161). Non-security issues fixed: - Video Output: * Fix hardware acceleration with some AMD drivers * Improve direct3d11 HDR support - Access: * Improve Blu-ray support - Audio output: * Fix pass-through on Android-23 * Fix DirectSound drain - Demux: Improve MP4 support - Video Output: * Fix 12 bits sources playback with Direct3D11 * Fix crash on iOS * Fix midstream aspect-ratio changes when Windows hardware decoding is on * Fix HLG display with Direct3D11 - Stream Output: Improve Chromecast support with new ChromeCast apps - Misc: * Update Youtube, Dailymotion, Vimeo, Soundcloud scripts * Work around busy looping when playing an invalid item with loop enabled - Updated translations. New package libaom: * Initial version 1.0.0 * A library for AOMedia Video 1 (AV1), an open, royalty-free video coding format designed for video transmissions over the Internet. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-1909=1 Package List: - openSUSE Leap 15.0 (noarch): libaom-devel-doc-1.0.0-lp150.2.1 vlc-lang-3.0.7.1-lp150.8.1 - openSUSE Leap 15.0 (x86_64): aom-tools-1.0.0-lp150.2.1 aom-tools-debuginfo-1.0.0-lp150.2.1 libaom-debugsource-1.0.0-lp150.2.1 libaom-devel-1.0.0-lp150.2.1 libaom0-1.0.0-lp150.2.1 libaom0-debuginfo-1.0.0-lp150.2.1 libvlc5-3.0.7.1-lp150.8.1 libvlc5-debuginfo-3.0.7.1-lp150.8.1 libvlccore9-3.0.7.1-lp150.8.1 libvlccore9-debuginfo-3.0.7.1-lp150.8.1 vlc-3.0.7.1-lp150.8.1 vlc-codec-gstreamer-3.0.7.1-lp150.8.1 vlc-codec-gstreamer-debuginfo-3.0.7.1-lp150.8.1 vlc-debuginfo-3.0.7.1-lp150.8.1 vlc-debugsource-3.0.7.1-lp150.8.1 vlc-devel-3.0.7.1-lp150.8.1 vlc-jack-3.0.7.1-lp150.8.1 vlc-jack-debuginfo-3.0.7.1-lp150.8.1 vlc-noX-3.0.7.1-lp150.8.1 vlc-noX-debuginfo-3.0.7.1-lp150.8.1 vlc-qt-3.0.7.1-lp150.8.1 vlc-qt-debuginfo-3.0.7.1-lp150.8.1 vlc-vdpau-3.0.7.1-lp150.8.1 vlc-vdpau-debuginfo-3.0.7.1-lp150.8.1 References: https://www.suse.com/security/cve/CVE-2018-19857.html https://www.suse.com/security/cve/CVE-2019-12874.html https://www.suse.com/security/cve/CVE-2019-13602.html https://www.suse.com/security/cve/CVE-2019-13962.html https://www.suse.com/security/cve/CVE-2019-5439.html https://www.suse.com/security/cve/CVE-2019-5459.html https://www.suse.com/security/cve/CVE-2019-5460.html https://bugzilla.suse.com/1093732 https://bugzilla.suse.com/1094893 https://bugzilla.suse.com/1118586 https://bugzilla.suse.com/1133290 https://bugzilla.suse.com/1138354 https://bugzilla.suse.com/1138933 https://bugzilla.suse.com/1141522 https://bugzilla.suse.com/1142161 https://bugzilla.suse.com/1143547 https://bugzilla.suse.com/1143549 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org