openSUSE Security Update : vlc (openSUSE-2020-545)

critical Nessus Plugin ID 136008

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for vlc fixes the following issues :

vlc was updated to version 3.0.9.2 :

+ Misc: Properly bump the version in configure.ac.

Changes from version 3.0.9.1 :

+ Misc: Fix VLSub returning 401 for earch request.

Changes from version 3.0.9 :

+ Core: Work around busy looping when playing an invalid item through VLM.

+ Access :

- Multiple dvdread and dvdnav crashs fixes

- Fixed DVD glitches on clip change

- Fixed dvdread commands/data sequence inversion in some cases causing unwanted glitches

- Better handling of authored as corrupted DVD

- Added libsmb2 support for SMB2/3 shares

+ Demux :

- Fix TTML entities not passed to decoder

- Fixed some WebVTT styling tags being not applied

- Misc raw H264/HEVC frame rate fixes

- Fix adaptive regression on TS format change (mostly HLS)

- Fixed MP4 regression with twos/sowt PCM audio

- Fixed some MP4 raw quicktime and ms-PCM audio

- Fixed MP4 interlacing handling

- Multiple adaptive stack (DASH/HLS/Smooth) fixes

- Enabled Live seeking for HLS

- Fixed seeking in some cases for HLS

- Improved Live playback for Smooth and DASH

- Fixed adaptive unwanted end of stream in some cases

- Faster adaptive start and new buffering control options

+ Packetizers :

- Fixes H264/HEVC incomplete draining in some cases

- packetizer_helper: Fix potential trailing junk on last packet

- Added missing drain in packetizers that was causing missing last frame or audio

- Improved check to prevent fLAC synchronization drops

+ Decoder :

- avcodec: revector video decoder to fix incomplete drain

- spudec: implemented palette updates, fixing missing subtitles on some DVD

- Fixed WebVTT CSS styling not being applied on Windows/macOS

- Fixed Hebrew teletext pages support in zvbi

- Fixed Dav1d aborting decoding on corrupted picture

- Extract and display of all CEA708 subtitles

- Update libfaad to 2.9.1

- Add DXVA support for VP9 Profile 2 (10 bits)

- Mediacodec aspect ratio with Amazon devices

+ Audio output :

- Added support for iOS audiounit audio above 48KHz

- Added support for amem audio up to 384KHz

+ Video output :

- Fix for opengl glitches in some drivers

- Fix GMA950 opengl support on macOS

- YUV to RGB StretchRect fixes with NVIDIA drivers

- Use libpacebo new tone mapping desaturation algorithm

+ Text renderer :

- Fix crashes on macOS with SSA/ASS subtitles containing emoji

- Fixed unwanted growing background in Freetype rendering and Y padding

+ Mux: Fixed some YUV mappings

+ Service Discovery: Update libmicrodns to 0.1.2.

+ Misc :

- Update YouTube, SoundCloud and Vocaroo scripts: this restores playback of YouTube URLs.

- Add missing .wpl & .zpl file associations on Windows

- Improved chromecast audio quality

Update to version 3.0.8 'vetinari' :

+ Fix stuttering for low framerate videos

+ Improve adaptive streaming

+ Improve audio output for external audio devices on macOS/iOS

+ Fix hardware acceleration with Direct3D11 for some AMD drivers

+ Fix WebVTT subtitles rendering

+ Vetinari is a major release changing a lot in the media engine of VLC. It is one of the largest release we've ever done. Notably, it :

- activates hardware decoding on all platforms, of H.264 & H.265, 8 & 10bits, allowing 4K60 or even 8K decoding with little CPU consumption,

- merges all the code from the mobile ports into the same codebase with common numbering and releases,

- supports 360 video and 3D audio, and prepares for VR content,

- supports direct HDR and HDR tone-mapping,

- updates the audio passthrough for HD Audio codecs,

- allows browsing of local network drives like SMB, FTP, SFTP, NFS...

- stores the passwords securely,

- brings a new subtitle rendering engine, supporting ComplexTextLayout and font fallback to support multiple languages and fonts,

- supports ChromeCast with the new renderer framework,

- adds support for numerous new formats and codecs, including WebVTT, AV1, TTML, HQX, 708, Cineform, and many more,

- improves Bluray support with Java menus, aka BD-J,

- updates the macOS interface with major cleaning and improvements,

- support HiDPI UI on Windows, with the switch to Qt5,

- prepares the experimental support for Wayland on Linux, and switches to OpenGL by default on Linux.

+ Security fixes included :

- Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)

- Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)

- Fix a read buffer overflow in the FAAD decoder

- Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)

- Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)

- Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)

- Fix a use after free in the ASF demuxer (CVE-2019-14533)

- Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)

- Fix a null dereference in the dvdnav demuxer

- Fix a null dereference in the ASF demuxer (CVE-2019-14534)

- Fix a null dereference in the AVI demuxer

- Fix a division by zero in the CAF demuxer (CVE-2019-14498)

- Fix a division by zero in the ASF demuxer (CVE-2019-14535)

- Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet available.

- Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around some image loading libraries (libpng, libjpeg, ...) which are either wrapped by vlc itself (libpng_plugin.so) or via libavcodec (libavcodec_plugin.so).

Solution

Update the affected vlc packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1142161

https://bugzilla.opensuse.org/show_bug.cgi?id=1146428

Plugin Details

Severity: Critical

ID: 136008

File Name: openSUSE-2020-545.nasl

Version: 1.3

Type: local

Agent: unix

Published: 4/27/2020

Updated: 3/14/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-13962

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:vlc-qt-debuginfo, p-cpe:/a:novell:opensuse:vlc-nox, cpe:/o:novell:opensuse:15.1, p-cpe:/a:novell:opensuse:vlc-lang, p-cpe:/a:novell:opensuse:vlc, p-cpe:/a:novell:opensuse:vlc-codec-gstreamer-debuginfo, p-cpe:/a:novell:opensuse:vlc-qt, p-cpe:/a:novell:opensuse:libvlccore9, p-cpe:/a:novell:opensuse:libvlc5, p-cpe:/a:novell:opensuse:vlc-opencv, p-cpe:/a:novell:opensuse:vlc-jack, p-cpe:/a:novell:opensuse:vlc-debuginfo, p-cpe:/a:novell:opensuse:vlc-debugsource, p-cpe:/a:novell:opensuse:libvlccore9-debuginfo, p-cpe:/a:novell:opensuse:vlc-opencv-debuginfo, p-cpe:/a:novell:opensuse:vlc-jack-debuginfo, p-cpe:/a:novell:opensuse:vlc-nox-debuginfo, p-cpe:/a:novell:opensuse:libvlc5-debuginfo, p-cpe:/a:novell:opensuse:vlc-vdpau, p-cpe:/a:novell:opensuse:vlc-codec-gstreamer, p-cpe:/a:novell:opensuse:vlc-vdpau-debuginfo, p-cpe:/a:novell:opensuse:vlc-devel

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/23/2020

Vulnerability Publication Date: 7/14/2019

Reference Information

CVE: CVE-2019-13602, CVE-2019-13962, CVE-2019-14437, CVE-2019-14438, CVE-2019-14498, CVE-2019-14533, CVE-2019-14534, CVE-2019-14535, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14970