openSUSE Security Update: Security update for vlc ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:0562-1 Rating: moderate References: #1142161 #1146428 Cross-References: CVE-2019-13602 CVE-2019-13962 CVE-2019-14437 CVE-2019-14438 CVE-2019-14498 CVE-2019-14533 CVE-2019-14534 CVE-2019-14535 CVE-2019-14776 CVE-2019-14777 CVE-2019-14778 CVE-2019-14970 Affected Products: openSUSE Backports SLE-15-SP1 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for vlc fixes the following issues: vlc was updated to version 3.0.9.2: + Misc: Properly bump the version in configure.ac. Changes from version 3.0.9.1: + Misc: Fix VLSub returning 401 for earch request. Changes from version 3.0.9: + Core: Work around busy looping when playing an invalid item through VLM. + Access: * Multiple dvdread and dvdnav crashs fixes * Fixed DVD glitches on clip change * Fixed dvdread commands/data sequence inversion in some cases causing unwanted glitches * Better handling of authored as corrupted DVD * Added libsmb2 support for SMB2/3 shares + Demux: * Fix TTML entities not passed to decoder * Fixed some WebVTT styling tags being not applied * Misc raw H264/HEVC frame rate fixes * Fix adaptive regression on TS format change (mostly HLS) * Fixed MP4 regression with twos/sowt PCM audio * Fixed some MP4 raw quicktime and ms-PCM audio * Fixed MP4 interlacing handling * Multiple adaptive stack (DASH/HLS/Smooth) fixes * Enabled Live seeking for HLS * Fixed seeking in some cases for HLS * Improved Live playback for Smooth and DASH * Fixed adaptive unwanted end of stream in some cases * Faster adaptive start and new buffering control options + Packetizers: * Fixes H264/HEVC incomplete draining in some cases * packetizer_helper: Fix potential trailing junk on last packet * Added missing drain in packetizers that was causing missing last frame or audio * Improved check to prevent fLAC synchronization drops + Decoder: * avcodec: revector video decoder to fix incomplete drain * spudec: implemented palette updates, fixing missing subtitles on some DVD * Fixed WebVTT CSS styling not being applied on Windows/macOS * Fixed Hebrew teletext pages support in zvbi * Fixed Dav1d aborting decoding on corrupted picture * Extract and display of all CEA708 subtitles * Update libfaad to 2.9.1 * Add DXVA support for VP9 Profile 2 (10 bits) * Mediacodec aspect ratio with Amazon devices + Audio output: * Added support for iOS audiounit audio above 48KHz * Added support for amem audio up to 384KHz + Video output: * Fix for opengl glitches in some drivers * Fix GMA950 opengl support on macOS * YUV to RGB StretchRect fixes with NVIDIA drivers * Use libpacebo new tone mapping desaturation algorithm + Text renderer: * Fix crashes on macOS with SSA/ASS subtitles containing emoji * Fixed unwanted growing background in Freetype rendering and Y padding + Mux: Fixed some YUV mappings + Service Discovery: Update libmicrodns to 0.1.2. + Misc: * Update YouTube, SoundCloud and Vocaroo scripts: this restores playback of YouTube URLs. * Add missing .wpl & .zpl file associations on Windows * Improved chromecast audio quality Update to version 3.0.8 'vetinari': + Fix stuttering for low framerate videos + Improve adaptive streaming + Improve audio output for external audio devices on macOS/iOS + Fix hardware acceleration with Direct3D11 for some AMD drivers + Fix WebVTT subtitles rendering + Vetinari is a major release changing a lot in the media engine of VLC. It is one of the largest release we've ever done. Notably, it: - activates hardware decoding on all platforms, of H.264 & H.265, 8 & 10bits, allowing 4K60 or even 8K decoding with little CPU consumption, - merges all the code from the mobile ports into the same codebase with common numbering and releases, - supports 360 video and 3D audio, and prepares for VR content, - supports direct HDR and HDR tone-mapping, - updates the audio passthrough for HD Audio codecs, - allows browsing of local network drives like SMB, FTP, SFTP, NFS... - stores the passwords securely, - brings a new subtitle rendering engine, supporting ComplexTextLayout and font fallback to support multiple languages and fonts, - supports ChromeCast with the new renderer framework, - adds support for numerous new formats and codecs, including WebVTT, AV1, TTML, HQX, 708, Cineform, and many more, - improves Bluray support with Java menus, aka BD-J, - updates the macOS interface with major cleaning and improvements, - support HiDPI UI on Windows, with the switch to Qt5, - prepares the experimental support for Wayland on Linux, and switches to OpenGL by default on Linux. + Security fixes included: * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) * Fix a read buffer overflow in the FAAD decoder * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) * Fix a use after free in the ASF demuxer (CVE-2019-14533) * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) * Fix a null dereference in the dvdnav demuxer * Fix a null dereference in the ASF demuxer (CVE-2019-14534) * Fix a null dereference in the AVI demuxer * Fix a division by zero in the CAF demuxer (CVE-2019-14498) * Fix a division by zero in the ASF demuxer (CVE-2019-14535) - Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet available. - Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around some image loading libraries (libpng, libjpeg, ...) which are either wrapped by vlc itself (libpng_plugin.so) or via libavcodec (libavcodec_plugin.so). This update was imported from the openSUSE:Leap:15.1:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2020-562=1 Package List: - openSUSE Backports SLE-15-SP1 (x86_64): libvlc5-3.0.9.2-bp151.5.6.1 libvlccore9-3.0.9.2-bp151.5.6.1 vlc-3.0.9.2-bp151.5.6.1 vlc-codec-gstreamer-3.0.9.2-bp151.5.6.1 vlc-devel-3.0.9.2-bp151.5.6.1 vlc-jack-3.0.9.2-bp151.5.6.1 vlc-noX-3.0.9.2-bp151.5.6.1 vlc-opencv-3.0.9.2-bp151.5.6.1 vlc-qt-3.0.9.2-bp151.5.6.1 vlc-vdpau-3.0.9.2-bp151.5.6.1 - openSUSE Backports SLE-15-SP1 (noarch): vlc-lang-3.0.9.2-bp151.5.6.1 References: https://www.suse.com/security/cve/CVE-2019-13602.html https://www.suse.com/security/cve/CVE-2019-13962.html https://www.suse.com/security/cve/CVE-2019-14437.html https://www.suse.com/security/cve/CVE-2019-14438.html https://www.suse.com/security/cve/CVE-2019-14498.html https://www.suse.com/security/cve/CVE-2019-14533.html https://www.suse.com/security/cve/CVE-2019-14534.html https://www.suse.com/security/cve/CVE-2019-14535.html https://www.suse.com/security/cve/CVE-2019-14776.html https://www.suse.com/security/cve/CVE-2019-14777.html https://www.suse.com/security/cve/CVE-2019-14778.html https://www.suse.com/security/cve/CVE-2019-14970.html https://bugzilla.suse.com/1142161 https://bugzilla.suse.com/1146428 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org