openSUSE-SU-2023:0365-1: moderate: Security update for vlc

12 Nov 2023

      openSUSE Security Update: Security update for vlc
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2023:0365-1
Rating:             moderate
References:         
Cross-References:   CVE-2022-37434 CVE-2023-5217
CVSS scores:
                    CVE-2022-37434 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-37434 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2023-5217 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2023-5217 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for vlc fixes the following issues:

   Update to version 3.0.20:

   + Video Output:
     - Fix green line in fullscreen in D3D11 video output
     - Fix crash with some AMD drivers old versions
     - Fix events propagation issue when double-clicking with mouse wheel
   + Decoders:
     - Fix crash when AV1 hardware decoder fails
   + Interface:
     - Fix annoying disappearance of the Windows fullscreen controller
   + Demuxers:
     - Fix potential security issue (OOB Write) on MMS:// by checking user
       size bounds

   Update to version 3.0.19:

   + Core:
     - Fix next-frame freezing in most scenarios
   + Demux:
     - Support RIFF INFO tags for Wav files
     - Fix AVI files with flipped RAW video planes
     - Fix duration on short and small Ogg/Opus files
     - Fix some HLS/TS streams with ID3 prefix
     - Fix some HLS playlist refresh drift
     - Fix for GoPro MAX spatial metadata
     - Improve FFmpeg-muxed MP4 chapters handling
     - Improve playback for QNap-produced AVI files
     - Improve playback of some old RealVideo files
     - Fix duration probing on some MP4 with missing information
   + Decoders:
     - Multiple fixes on AAC handling
     - Activate hardware decoding of AV1 on Windows (DxVA)
     - Improve AV1 HDR support with software decoding
     - Fix some AV1 GBRP streams, AV1 super-resolution streams and monochrome
       ones
     - Fix black screen on poorly edited MP4 files on Android Mediacodec
     - Fix rawvid video in NV12
     - Fix several issues on Windows hardware decoding (including "too large
       resolution in DxVA")
     - Improve crunchyroll-produced SSA rendering
   + Video Output:
     - Super Resolution scaling with nVidia and Intel GPUs
     - Fix for an issue when cropping on Direct3D9
     - Multiple fixes for hardware decoding on D3D11 and OpenGL interop
     - Fix an issue when playing -90°rotated video
     - Fix subtitles rendering blur on recent macOS
   + Input:
     - Improve SMB compatibility with Windows 11 hosts
   + Contribs:
     - Update of fluidlite, fixing some MIDI rendering on Windows
     - Update of zlib to 1.2.13 (CVE-2022-37434)
     - Update of FFmpeg, vpx (CVE-2023-5217), ebml, dav1d, libass
   + Misc:
     - Improve muxing timestamps in a few formats (reset to 0)
     - Fix some rendering issues on Linux with the fullscreen controller
     - Fix GOOM visualization
     - Fixes for Youtube playback
     - Fix some MPRIS inconsistencies that broke some OS widgets on Linux
     - Implement MPRIS TrackList signals
     - Fix opening files in read-only mode
     - Fix password search using the Kwallet backend
     - Fix some crashes on macOS when switching application
     - Fix 5.1/7.1 output on macOS and tvOS
     - Fix several crashes and bugs in the macOS preferences panel
     - Improvements on the threading of the MMDevice audio output on Windows
     - Fix a potential security issue on the uninstaller DLLs
     - Fix memory leaks when using the media_list_player libVLC APIs
   + Translations:
     - Update of most translations
     - New translations to Esperanto, Interlingue, Lao, Macedonian, Burmese,
       Odia, Samoan and Swahili

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2023-365=1

Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le x86_64):

      libvlc5-3.0.20-bp154.2.6.1
      libvlccore9-3.0.20-bp154.2.6.1
      vlc-3.0.20-bp154.2.6.1
      vlc-codec-gstreamer-3.0.20-bp154.2.6.1
      vlc-devel-3.0.20-bp154.2.6.1
      vlc-jack-3.0.20-bp154.2.6.1
      vlc-noX-3.0.20-bp154.2.6.1
      vlc-opencv-3.0.20-bp154.2.6.1
      vlc-qt-3.0.20-bp154.2.6.1
      vlc-vdpau-3.0.20-bp154.2.6.1

   - openSUSE Backports SLE-15-SP4 (noarch):

      vlc-lang-3.0.20-bp154.2.6.1

References:

   https://www.suse.com/security/cve/CVE-2022-37434.html
   https://www.suse.com/security/cve/CVE-2023-5217.html

opensuse-security＠opensuse.org

tags

participants (1)