Security update for vlc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0122-1 Final 1 1 2021-01-19T23:23:58Z current 2021-01-19T23:23:58Z 2021-01-19T23:23:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for vlc This update for vlc fixes the following issues: Update to 3.0.11.1: - CVE-2020-13428: Fixed heap-based buffer overflow in the hxxx_AnnexB_to_xVC () (boo#1172727) - CVE-2020-26664: Fixed heap-based buffer overflow in EbmlTypeDispatcher:send () (boo#1180755) This update was imported from the openSUSE:Leap:15.2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-122 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YJCT5WYFJXXNRF5NSC7LOIHN7BD5UKVV/ E-Mail link for openSUSE-SU-2021:0122-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1133290 SUSE Bug 1133290 https://bugzilla.suse.com/1172727 SUSE Bug 1172727 https://bugzilla.suse.com/1180755 SUSE Bug 1180755 https://www.suse.com/security/cve/CVE-2020-13428/ SUSE CVE CVE-2020-13428 page https://www.suse.com/security/cve/CVE-2020-26664/ SUSE CVE CVE-2020-26664 page SUSE Package Hub 15 SP2 libvlc5-3.0.11.1-bp152.2.9.1 libvlccore9-3.0.11.1-bp152.2.9.1 vlc-3.0.11.1-bp152.2.9.1 vlc-codec-gstreamer-3.0.11.1-bp152.2.9.1 vlc-devel-3.0.11.1-bp152.2.9.1 vlc-jack-3.0.11.1-bp152.2.9.1 vlc-lang-3.0.11.1-bp152.2.9.1 vlc-noX-3.0.11.1-bp152.2.9.1 vlc-opencv-3.0.11.1-bp152.2.9.1 vlc-qt-3.0.11.1-bp152.2.9.1 vlc-vdpau-3.0.11.1-bp152.2.9.1 libvlc5-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 libvlccore9-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-codec-gstreamer-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-devel-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-jack-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-lang-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-noX-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-opencv-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-qt-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 vlc-vdpau-3.0.11.1-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file. CVE-2020-13428 SUSE Package Hub 15 SP2:libvlc5-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:libvlccore9-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-codec-gstreamer-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-devel-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-jack-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-lang-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-noX-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-opencv-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-qt-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-vdpau-3.0.11.1-bp152.2.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YJCT5WYFJXXNRF5NSC7LOIHN7BD5UKVV/ https://www.suse.com/security/cve/CVE-2020-13428.html CVE-2020-13428 https://bugzilla.suse.com/1172727 SUSE Bug 1172727 A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file. CVE-2020-26664 SUSE Package Hub 15 SP2:libvlc5-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:libvlccore9-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-codec-gstreamer-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-devel-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-jack-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-lang-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-noX-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-opencv-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-qt-3.0.11.1-bp152.2.9.1 SUSE Package Hub 15 SP2:vlc-vdpau-3.0.11.1-bp152.2.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YJCT5WYFJXXNRF5NSC7LOIHN7BD5UKVV/ https://www.suse.com/security/cve/CVE-2020-26664.html CVE-2020-26664 https://bugzilla.suse.com/1180755 SUSE Bug 1180755