Security update for vlc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1651-1 Final 1 1 2016-06-22T09:09:30Z current 2016-06-22T09:09:30Z 2016-06-22T09:09:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for vlc This update for vlc to version 2.1.6 fixes the following issues: These CVE were fixed: - CVE-2016-5108: Reject invalid QuickTime IMA files (boo#984382). - CVE-2016-3941: Heap overflow in processing wav files (boo#973354). These security issues without were fixed: - Fix heap overflow in decomp stream filter. - Fix buffer overflow in updater. - Fix potential buffer overflow in schroedinger encoder. - Fix null-pointer dereference in DMO decoder. - Fix buffer overflow in parsing of string boxes in mp4 demuxer. - Fix SRTP integer overflow. - Fix potential crash in zip access. - Fix read overflow in Ogg demuxer. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00045.html E-Mail link for openSUSE-SU-2016:1651-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libvlc5-2.1.6-2.10.1 libvlc5-debuginfo-2.1.6-2.10.1 libvlccore7-2.1.6-2.10.1 libvlccore7-debuginfo-2.1.6-2.10.1 vlc-2.1.6-2.10.1 vlc-debuginfo-2.1.6-2.10.1 vlc-debugsource-2.1.6-2.10.1 vlc-devel-2.1.6-2.10.1 vlc-gnome-2.1.6-2.10.1 vlc-gnome-debuginfo-2.1.6-2.10.1 vlc-noX-2.1.6-2.10.1 vlc-noX-debuginfo-2.1.6-2.10.1 vlc-noX-lang-2.1.6-2.10.1 vlc-qt-2.1.6-2.10.1 vlc-qt-debuginfo-2.1.6-2.10.1 libvlc5-2.1.6-2.10.1 as a component of openSUSE 13.2 libvlc5-debuginfo-2.1.6-2.10.1 as a component of openSUSE 13.2 libvlccore7-2.1.6-2.10.1 as a component of openSUSE 13.2 libvlccore7-debuginfo-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-debuginfo-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-debugsource-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-devel-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-gnome-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-gnome-debuginfo-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-noX-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-noX-debuginfo-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-noX-lang-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-qt-2.1.6-2.10.1 as a component of openSUSE 13.2 vlc-qt-debuginfo-2.1.6-2.10.1 as a component of openSUSE 13.2 Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF." CVE-2016-3941 openSUSE 13.2:libvlc5-2.1.6-2.10.1 openSUSE 13.2:libvlc5-debuginfo-2.1.6-2.10.1 openSUSE 13.2:libvlccore7-2.1.6-2.10.1 openSUSE 13.2:libvlccore7-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-2.1.6-2.10.1 openSUSE 13.2:vlc-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-debugsource-2.1.6-2.10.1 openSUSE 13.2:vlc-devel-2.1.6-2.10.1 openSUSE 13.2:vlc-gnome-2.1.6-2.10.1 openSUSE 13.2:vlc-gnome-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-noX-2.1.6-2.10.1 openSUSE 13.2:vlc-noX-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-noX-lang-2.1.6-2.10.1 openSUSE 13.2:vlc-qt-2.1.6-2.10.1 openSUSE 13.2:vlc-qt-debuginfo-2.1.6-2.10.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00045.html https://www.suse.com/security/cve/CVE-2016-3941.html CVE-2016-3941 https://bugzilla.suse.com/1007595 SUSE Bug 1007595 https://bugzilla.suse.com/973354 SUSE Bug 973354 Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file. CVE-2016-5108 openSUSE 13.2:libvlc5-2.1.6-2.10.1 openSUSE 13.2:libvlc5-debuginfo-2.1.6-2.10.1 openSUSE 13.2:libvlccore7-2.1.6-2.10.1 openSUSE 13.2:libvlccore7-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-2.1.6-2.10.1 openSUSE 13.2:vlc-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-debugsource-2.1.6-2.10.1 openSUSE 13.2:vlc-devel-2.1.6-2.10.1 openSUSE 13.2:vlc-gnome-2.1.6-2.10.1 openSUSE 13.2:vlc-gnome-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-noX-2.1.6-2.10.1 openSUSE 13.2:vlc-noX-debuginfo-2.1.6-2.10.1 openSUSE 13.2:vlc-noX-lang-2.1.6-2.10.1 openSUSE 13.2:vlc-qt-2.1.6-2.10.1 openSUSE 13.2:vlc-qt-debuginfo-2.1.6-2.10.1 important 7.4 AV:N/AC:L/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00045.html https://www.suse.com/security/cve/CVE-2016-5108.html CVE-2016-5108 https://bugzilla.suse.com/984382 SUSE Bug 984382