Detections
Analytics

openSUSE Security Update : vlc (openSUSE-2020-545)

critical Nessus Plugin ID 136008

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for vlc fixes the following issues :

vlc was updated to version 3.0.9.2 :

 + Misc: Properly bump the version in configure.ac.

Changes from version 3.0.9.1 :

 + Misc: Fix VLSub returning 401 for earch request.

Changes from version 3.0.9 :

 + Core: Work around busy looping when playing an invalid item through VLM.

 + Access :

 - Multiple dvdread and dvdnav crashs fixes

 - Fixed DVD glitches on clip change

 - Fixed dvdread commands/data sequence inversion in some cases causing unwanted glitches

 - Better handling of authored as corrupted DVD

 - Added libsmb2 support for SMB2/3 shares

 + Demux :

 - Fix TTML entities not passed to decoder

 - Fixed some WebVTT styling tags being not applied

 - Misc raw H264/HEVC frame rate fixes

 - Fix adaptive regression on TS format change (mostly HLS)

 - Fixed MP4 regression with twos/sowt PCM audio

 - Fixed some MP4 raw quicktime and ms-PCM audio

 - Fixed MP4 interlacing handling

 - Multiple adaptive stack (DASH/HLS/Smooth) fixes

 - Enabled Live seeking for HLS

 - Fixed seeking in some cases for HLS

 - Improved Live playback for Smooth and DASH

 - Fixed adaptive unwanted end of stream in some cases

 - Faster adaptive start and new buffering control options

 + Packetizers :

 - Fixes H264/HEVC incomplete draining in some cases

 - packetizer_helper: Fix potential trailing junk on last packet

 - Added missing drain in packetizers that was causing missing last frame or audio

 - Improved check to prevent fLAC synchronization drops

 + Decoder :

 - avcodec: revector video decoder to fix incomplete drain

 - spudec: implemented palette updates, fixing missing subtitles on some DVD

 - Fixed WebVTT CSS styling not being applied on Windows/macOS

 - Fixed Hebrew teletext pages support in zvbi

 - Fixed Dav1d aborting decoding on corrupted picture

 - Extract and display of all CEA708 subtitles

 - Update libfaad to 2.9.1

 - Add DXVA support for VP9 Profile 2 (10 bits)

 - Mediacodec aspect ratio with Amazon devices

 + Audio output :

 - Added support for iOS audiounit audio above 48KHz

 - Added support for amem audio up to 384KHz

 + Video output :

 - Fix for opengl glitches in some drivers

 - Fix GMA950 opengl support on macOS

 - YUV to RGB StretchRect fixes with NVIDIA drivers

 - Use libpacebo new tone mapping desaturation algorithm

 + Text renderer :

 - Fix crashes on macOS with SSA/ASS subtitles containing emoji

 - Fixed unwanted growing background in Freetype rendering and Y padding

 + Mux: Fixed some YUV mappings

 + Service Discovery: Update libmicrodns to 0.1.2.

 + Misc :

 - Update YouTube, SoundCloud and Vocaroo scripts: this restores playback of YouTube URLs.

 - Add missing .wpl & .zpl file associations on Windows

 - Improved chromecast audio quality

Update to version 3.0.8 'vetinari' :

 + Fix stuttering for low framerate videos

 + Improve adaptive streaming

 + Improve audio output for external audio devices on macOS/iOS

 + Fix hardware acceleration with Direct3D11 for some AMD drivers

 + Fix WebVTT subtitles rendering

 + Vetinari is a major release changing a lot in the media engine of VLC. It is one of the largest release we've ever done. Notably, it :

 - activates hardware decoding on all platforms, of H.264 & H.265, 8 & 10bits, allowing 4K60 or even 8K decoding with little CPU consumption,

 - merges all the code from the mobile ports into the same codebase with common numbering and releases,

 - supports 360 video and 3D audio, and prepares for VR content,

 - supports direct HDR and HDR tone-mapping,

 - updates the audio passthrough for HD Audio codecs,

 - allows browsing of local network drives like SMB, FTP, SFTP, NFS...

 - stores the passwords securely,

 - brings a new subtitle rendering engine, supporting ComplexTextLayout and font fallback to support multiple languages and fonts,

 - supports ChromeCast with the new renderer framework,

 - adds support for numerous new formats and codecs, including WebVTT, AV1, TTML, HQX, 708, Cineform, and many more,

 - improves Bluray support with Java menus, aka BD-J,

 - updates the macOS interface with major cleaning and improvements,

 - support HiDPI UI on Windows, with the switch to Qt5,

 - prepares the experimental support for Wayland on Linux, and switches to OpenGL by default on Linux.

 + Security fixes included :

 - Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)

 - Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)

 - Fix a read buffer overflow in the FAAD decoder

 - Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)

 - Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)

 - Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)

 - Fix a use after free in the ASF demuxer (CVE-2019-14533)

 - Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)

 - Fix a null dereference in the dvdnav demuxer

 - Fix a null dereference in the ASF demuxer (CVE-2019-14534)

 - Fix a null dereference in the AVI demuxer

 - Fix a division by zero in the CAF demuxer (CVE-2019-14498)

 - Fix a division by zero in the ASF demuxer (CVE-2019-14535)

 - Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet available.

 - Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around some image loading libraries (libpng, libjpeg, ...) which are either wrapped by vlc itself (libpng_plugin.so) or via libavcodec (libavcodec_plugin.so).

Solution

Update the affected vlc packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1142161

https://bugzilla.opensuse.org/show_bug.cgi?id=1146428

Plugin Details

Severity: Critical

ID: 136008

File Name: openSUSE-2020-545.nasl

Version: 1.3

Type: local

Agent: unix

Published: 4/27/2020

Updated: 3/14/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-13962

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:vlc-qt-debuginfo, p-cpe:/a:novell:opensuse:vlc-nox, cpe:/o:novell:opensuse:15.1, p-cpe:/a:novell:opensuse:vlc-lang, p-cpe:/a:novell:opensuse:vlc, p-cpe:/a:novell:opensuse:vlc-codec-gstreamer-debuginfo, p-cpe:/a:novell:opensuse:vlc-qt, p-cpe:/a:novell:opensuse:libvlccore9, p-cpe:/a:novell:opensuse:libvlc5, p-cpe:/a:novell:opensuse:vlc-opencv, p-cpe:/a:novell:opensuse:vlc-jack, p-cpe:/a:novell:opensuse:vlc-debuginfo, p-cpe:/a:novell:opensuse:vlc-debugsource, p-cpe:/a:novell:opensuse:libvlccore9-debuginfo, p-cpe:/a:novell:opensuse:vlc-opencv-debuginfo, p-cpe:/a:novell:opensuse:vlc-jack-debuginfo, p-cpe:/a:novell:opensuse:vlc-nox-debuginfo, p-cpe:/a:novell:opensuse:libvlc5-debuginfo, p-cpe:/a:novell:opensuse:vlc-vdpau, p-cpe:/a:novell:opensuse:vlc-codec-gstreamer, p-cpe:/a:novell:opensuse:vlc-vdpau-debuginfo, p-cpe:/a:novell:opensuse:vlc-devel

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/23/2020

Vulnerability Publication Date: 7/14/2019

Reference Information

CVE: CVE-2019-13602, CVE-2019-13962, CVE-2019-14437, CVE-2019-14438, CVE-2019-14498, CVE-2019-14533, CVE-2019-14534, CVE-2019-14535, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14970