Security update for vlc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0545-1 Final 1 1 2020-04-23T08:12:41Z current 2020-04-23T08:12:41Z 2020-04-23T08:12:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for vlc This update for vlc fixes the following issues: vlc was updated to version 3.0.9.2: + Misc: Properly bump the version in configure.ac. Changes from version 3.0.9.1: + Misc: Fix VLSub returning 401 for earch request. Changes from version 3.0.9: + Core: Work around busy looping when playing an invalid item through VLM. + Access: * Multiple dvdread and dvdnav crashs fixes * Fixed DVD glitches on clip change * Fixed dvdread commands/data sequence inversion in some cases causing unwanted glitches * Better handling of authored as corrupted DVD * Added libsmb2 support for SMB2/3 shares + Demux: * Fix TTML entities not passed to decoder * Fixed some WebVTT styling tags being not applied * Misc raw H264/HEVC frame rate fixes * Fix adaptive regression on TS format change (mostly HLS) * Fixed MP4 regression with twos/sowt PCM audio * Fixed some MP4 raw quicktime and ms-PCM audio * Fixed MP4 interlacing handling * Multiple adaptive stack (DASH/HLS/Smooth) fixes * Enabled Live seeking for HLS * Fixed seeking in some cases for HLS * Improved Live playback for Smooth and DASH * Fixed adaptive unwanted end of stream in some cases * Faster adaptive start and new buffering control options + Packetizers: * Fixes H264/HEVC incomplete draining in some cases * packetizer_helper: Fix potential trailing junk on last packet * Added missing drain in packetizers that was causing missing last frame or audio * Improved check to prevent fLAC synchronization drops + Decoder: * avcodec: revector video decoder to fix incomplete drain * spudec: implemented palette updates, fixing missing subtitles on some DVD * Fixed WebVTT CSS styling not being applied on Windows/macOS * Fixed Hebrew teletext pages support in zvbi * Fixed Dav1d aborting decoding on corrupted picture * Extract and display of all CEA708 subtitles * Update libfaad to 2.9.1 * Add DXVA support for VP9 Profile 2 (10 bits) * Mediacodec aspect ratio with Amazon devices + Audio output: * Added support for iOS audiounit audio above 48KHz * Added support for amem audio up to 384KHz + Video output: * Fix for opengl glitches in some drivers * Fix GMA950 opengl support on macOS * YUV to RGB StretchRect fixes with NVIDIA drivers * Use libpacebo new tone mapping desaturation algorithm + Text renderer: * Fix crashes on macOS with SSA/ASS subtitles containing emoji * Fixed unwanted growing background in Freetype rendering and Y padding + Mux: Fixed some YUV mappings + Service Discovery: Update libmicrodns to 0.1.2. + Misc: * Update YouTube, SoundCloud and Vocaroo scripts: this restores playback of YouTube URLs. * Add missing .wpl & .zpl file associations on Windows * Improved chromecast audio quality Update to version 3.0.8 'vetinari': + Fix stuttering for low framerate videos + Improve adaptive streaming + Improve audio output for external audio devices on macOS/iOS + Fix hardware acceleration with Direct3D11 for some AMD drivers + Fix WebVTT subtitles rendering + Vetinari is a major release changing a lot in the media engine of VLC. It is one of the largest release we've ever done. Notably, it: - activates hardware decoding on all platforms, of H.264 & H.265, 8 & 10bits, allowing 4K60 or even 8K decoding with little CPU consumption, - merges all the code from the mobile ports into the same codebase with common numbering and releases, - supports 360 video and 3D audio, and prepares for VR content, - supports direct HDR and HDR tone-mapping, - updates the audio passthrough for HD Audio codecs, - allows browsing of local network drives like SMB, FTP, SFTP, NFS... - stores the passwords securely, - brings a new subtitle rendering engine, supporting ComplexTextLayout and font fallback to support multiple languages and fonts, - supports ChromeCast with the new renderer framework, - adds support for numerous new formats and codecs, including WebVTT, AV1, TTML, HQX, 708, Cineform, and many more, - improves Bluray support with Java menus, aka BD-J, - updates the macOS interface with major cleaning and improvements, - support HiDPI UI on Windows, with the switch to Qt5, - prepares the experimental support for Wayland on Linux, and switches to OpenGL by default on Linux. + Security fixes included: * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) * Fix a read buffer overflow in the FAAD decoder * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) * Fix a use after free in the ASF demuxer (CVE-2019-14533) * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) * Fix a null dereference in the dvdnav demuxer * Fix a null dereference in the ASF demuxer (CVE-2019-14534) * Fix a null dereference in the AVI demuxer * Fix a division by zero in the CAF demuxer (CVE-2019-14498) * Fix a division by zero in the ASF demuxer (CVE-2019-14535) - Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet available. - Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around some image loading libraries (libpng, libjpeg, ...) which are either wrapped by vlc itself (libpng_plugin.so) or via libavcodec (libavcodec_plugin.so). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-545 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ E-Mail link for openSUSE-SU-2020:0545-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1142161 SUSE Bug 1142161 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 https://www.suse.com/security/cve/CVE-2019-13602/ SUSE CVE CVE-2019-13602 page https://www.suse.com/security/cve/CVE-2019-13962/ SUSE CVE CVE-2019-13962 page https://www.suse.com/security/cve/CVE-2019-14437/ SUSE CVE CVE-2019-14437 page https://www.suse.com/security/cve/CVE-2019-14438/ SUSE CVE CVE-2019-14438 page https://www.suse.com/security/cve/CVE-2019-14498/ SUSE CVE CVE-2019-14498 page https://www.suse.com/security/cve/CVE-2019-14533/ SUSE CVE CVE-2019-14533 page https://www.suse.com/security/cve/CVE-2019-14534/ SUSE CVE CVE-2019-14534 page https://www.suse.com/security/cve/CVE-2019-14535/ SUSE CVE CVE-2019-14535 page https://www.suse.com/security/cve/CVE-2019-14776/ SUSE CVE CVE-2019-14776 page https://www.suse.com/security/cve/CVE-2019-14777/ SUSE CVE CVE-2019-14777 page https://www.suse.com/security/cve/CVE-2019-14778/ SUSE CVE CVE-2019-14778 page https://www.suse.com/security/cve/CVE-2019-14970/ SUSE CVE CVE-2019-14970 page openSUSE Leap 15.1 libvlc5-3.0.9.2-lp151.6.6.1 libvlccore9-3.0.9.2-lp151.6.6.1 vlc-3.0.9.2-lp151.6.6.1 vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 vlc-devel-3.0.9.2-lp151.6.6.1 vlc-jack-3.0.9.2-lp151.6.6.1 vlc-lang-3.0.9.2-lp151.6.6.1 vlc-noX-3.0.9.2-lp151.6.6.1 vlc-opencv-3.0.9.2-lp151.6.6.1 vlc-qt-3.0.9.2-lp151.6.6.1 vlc-vdpau-3.0.9.2-lp151.6.6.1 libvlc5-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 libvlccore9-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-devel-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-jack-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-lang-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-noX-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-opencv-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-qt-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 vlc-vdpau-3.0.9.2-lp151.6.6.1 as a component of openSUSE Leap 15.1 An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file. CVE-2019-13602 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-13602.html CVE-2019-13602 https://bugzilla.suse.com/1141522 SUSE Bug 1141522 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height. CVE-2019-13962 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-13962.html CVE-2019-13962 https://bugzilla.suse.com/1142161 SUSE Bug 1142161 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 does not check array bounds properly. As a result, a heap-based buffer over-read can be triggered via a crafted .ogg file. CVE-2019-14437 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14437.html CVE-2019-14437 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 A heap-based buffer over-read in xiph_PackHeaders() in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer over-read via a crafted .ogg file. CVE-2019-14438 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14438.html CVE-2019-14438 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 A divide-by-zero error exists in the Control function of demux/caf.c in VideoLAN VLC media player 3.0.7.1. As a result, an FPE can be triggered via a crafted CAF file. CVE-2019-14498 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14498.html CVE-2019-14498 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 The Control function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 has a use-after-free. CVE-2019-14533 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14533.html CVE-2019-14533 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer dereference at the function SeekPercent of demux/asf/asf.c that will lead to a denial of service attack. CVE-2019-14534 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14534.html CVE-2019-14534 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 A divide-by-zero error exists in the SeekIndex function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1. As a result, an FPE can be triggered via a crafted WMV file. CVE-2019-14535 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14535.html CVE-2019-14535 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 via a crafted .mkv file. CVE-2019-14776 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14776.html CVE-2019-14776 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free. CVE-2019-14777 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14777.html CVE-2019-14777 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free. CVE-2019-14778 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14778.html CVE-2019-14778 https://bugzilla.suse.com/1146428 SUSE Bug 1146428 A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer overflow via a crafted .mkv file. CVE-2019-14970 openSUSE Leap 15.1:libvlc5-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:libvlccore9-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-codec-gstreamer-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-devel-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-jack-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-lang-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-noX-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-opencv-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-qt-3.0.9.2-lp151.6.6.1 openSUSE Leap 15.1:vlc-vdpau-3.0.9.2-lp151.6.6.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFHFURFW5IFIHSRDD3YMUC6GB232FD3U/ https://www.suse.com/security/cve/CVE-2019-14970.html CVE-2019-14970 https://bugzilla.suse.com/1146428 SUSE Bug 1146428