Security update for vlc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0366-1 Final 1 1 2023-11-12T13:01:02Z current 2023-11-12T13:01:02Z 2023-11-12T13:01:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for vlc This update for vlc fixes the following issues: Update to version 3.0.20: + Video Output: - Fix green line in fullscreen in D3D11 video output - Fix crash with some AMD drivers old versions - Fix events propagation issue when double-clicking with mouse wheel + Decoders: - Fix crash when AV1 hardware decoder fails + Interface: - Fix annoying disappearance of the Windows fullscreen controller + Demuxers: - Fix potential security issue (OOB Write) on MMS:// by checking user size bounds Update to version 3.0.19: + Core: - Fix next-frame freezing in most scenarios + Demux: - Support RIFF INFO tags for Wav files - Fix AVI files with flipped RAW video planes - Fix duration on short and small Ogg/Opus files - Fix some HLS/TS streams with ID3 prefix - Fix some HLS playlist refresh drift - Fix for GoPro MAX spatial metadata - Improve FFmpeg-muxed MP4 chapters handling - Improve playback for QNap-produced AVI files - Improve playback of some old RealVideo files - Fix duration probing on some MP4 with missing information + Decoders: - Multiple fixes on AAC handling - Activate hardware decoding of AV1 on Windows (DxVA) - Improve AV1 HDR support with software decoding - Fix some AV1 GBRP streams, AV1 super-resolution streams and monochrome ones - Fix black screen on poorly edited MP4 files on Android Mediacodec - Fix rawvid video in NV12 - Fix several issues on Windows hardware decoding (including 'too large resolution in DxVA') - Improve crunchyroll-produced SSA rendering + Video Output: - Super Resolution scaling with nVidia and Intel GPUs - Fix for an issue when cropping on Direct3D9 - Multiple fixes for hardware decoding on D3D11 and OpenGL interop - Fix an issue when playing -90°rotated video - Fix subtitles rendering blur on recent macOS + Input: - Improve SMB compatibility with Windows 11 hosts + Contribs: - Update of fluidlite, fixing some MIDI rendering on Windows - Update of zlib to 1.2.13 (CVE-2022-37434) - Update of FFmpeg, vpx (CVE-2023-5217), ebml, dav1d, libass + Misc: - Improve muxing timestamps in a few formats (reset to 0) - Fix some rendering issues on Linux with the fullscreen controller - Fix GOOM visualization - Fixes for Youtube playback - Fix some MPRIS inconsistencies that broke some OS widgets on Linux - Implement MPRIS TrackList signals - Fix opening files in read-only mode - Fix password search using the Kwallet backend - Fix some crashes on macOS when switching application - Fix 5.1/7.1 output on macOS and tvOS - Fix several crashes and bugs in the macOS preferences panel - Improvements on the threading of the MMDevice audio output on Windows - Fix a potential security issue on the uninstaller DLLs - Fix memory leaks when using the media_list_player libVLC APIs + Translations: - Update of most translations - New translations to Esperanto, Interlingue, Lao, Macedonian, Burmese, Odia, Samoan and Swahili The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-366 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M45KVAFI32X55HONDKLE2FBN6GETMIUL/ E-Mail link for openSUSE-SU-2023:0366-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1206142 SUSE Bug 1206142 https://www.suse.com/security/cve/CVE-2022-37434/ SUSE CVE CVE-2022-37434 page https://www.suse.com/security/cve/CVE-2022-41325/ SUSE CVE CVE-2022-41325 page https://www.suse.com/security/cve/CVE-2023-5217/ SUSE CVE CVE-2023-5217 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 libvlc5-3.0.20-bp155.2.3.1 libvlccore9-3.0.20-bp155.2.3.1 vlc-3.0.20-bp155.2.3.1 vlc-codec-gstreamer-3.0.20-bp155.2.3.1 vlc-devel-3.0.20-bp155.2.3.1 vlc-jack-3.0.20-bp155.2.3.1 vlc-lang-3.0.20-bp155.2.3.1 vlc-noX-3.0.20-bp155.2.3.1 vlc-opencv-3.0.20-bp155.2.3.1 vlc-qt-3.0.20-bp155.2.3.1 vlc-vdpau-3.0.20-bp155.2.3.1 libvlc5-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libvlccore9-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-codec-gstreamer-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-devel-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-jack-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-lang-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-noX-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-opencv-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-qt-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 vlc-vdpau-3.0.20-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libvlc5-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 libvlccore9-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-codec-gstreamer-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-devel-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-jack-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-lang-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-noX-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-opencv-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-qt-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 vlc-vdpau-3.0.20-bp155.2.3.1 as a component of openSUSE Leap 15.5 zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). CVE-2022-37434 SUSE Package Hub 15 SP5:libvlc5-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:libvlccore9-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-codec-gstreamer-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-devel-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-jack-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-lang-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-noX-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-opencv-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-qt-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-vdpau-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:libvlc5-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:libvlccore9-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-codec-gstreamer-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-devel-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-jack-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-lang-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-noX-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-opencv-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-qt-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-vdpau-3.0.20-bp155.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M45KVAFI32X55HONDKLE2FBN6GETMIUL/ https://www.suse.com/security/cve/CVE-2022-37434.html CVE-2022-37434 https://bugzilla.suse.com/1202175 SUSE Bug 1202175 https://bugzilla.suse.com/1203030 SUSE Bug 1203030 https://bugzilla.suse.com/1205074 SUSE Bug 1205074 https://bugzilla.suse.com/1205289 SUSE Bug 1205289 https://bugzilla.suse.com/1216542 SUSE Bug 1216542 https://bugzilla.suse.com/1225671 SUSE Bug 1225671 An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. CVE-2022-41325 SUSE Package Hub 15 SP5:libvlc5-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:libvlccore9-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-codec-gstreamer-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-devel-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-jack-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-lang-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-noX-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-opencv-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-qt-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-vdpau-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:libvlc5-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:libvlccore9-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-codec-gstreamer-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-devel-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-jack-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-lang-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-noX-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-opencv-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-qt-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-vdpau-3.0.20-bp155.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M45KVAFI32X55HONDKLE2FBN6GETMIUL/ https://www.suse.com/security/cve/CVE-2022-41325.html CVE-2022-41325 https://bugzilla.suse.com/1206142 SUSE Bug 1206142 Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2023-5217 SUSE Package Hub 15 SP5:libvlc5-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:libvlccore9-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-codec-gstreamer-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-devel-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-jack-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-lang-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-noX-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-opencv-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-qt-3.0.20-bp155.2.3.1 SUSE Package Hub 15 SP5:vlc-vdpau-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:libvlc5-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:libvlccore9-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-codec-gstreamer-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-devel-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-jack-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-lang-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-noX-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-opencv-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-qt-3.0.20-bp155.2.3.1 openSUSE Leap 15.5:vlc-vdpau-3.0.20-bp155.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M45KVAFI32X55HONDKLE2FBN6GETMIUL/ https://www.suse.com/security/cve/CVE-2023-5217.html CVE-2023-5217 https://bugzilla.suse.com/1215776 SUSE Bug 1215776 https://bugzilla.suse.com/1215778 SUSE Bug 1215778 https://bugzilla.suse.com/1215814 SUSE Bug 1215814 https://bugzilla.suse.com/1217559 SUSE Bug 1217559