Security update for vlc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1652-1 Final 1 1 2016-06-22T09:09:17Z current 2016-06-22T09:09:17Z 2016-06-22T09:09:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for vlc This update for vlc to 2.2.4 to fix the following security issue: - CVE-2016-5108: Fix out-of-bound write in adpcm QT IMA codec (boo#984382). This also include an update of codecs and libraries to fix these 3rd party security issues: - CVE-2016-1514: Matroska libebml EbmlUnicodeString Heap Information Leak - CVE-2016-1515: Matroska libebml Multiple ElementList Double Free Vulnerabilities - CVE-2015-7981: The png_convert_to_rfc1123 function in png.c in libpng allowed remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read (bsc#952051). - CVE-2015-8126: Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image (bsc#954980). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00046.html E-Mail link for openSUSE-SU-2016:1652-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 libvlc5-2.2.4-27.1 libvlccore8-2.2.4-27.1 vlc-2.2.4-27.1 vlc-devel-2.2.4-27.1 vlc-noX-2.2.4-27.1 vlc-noX-lang-2.2.4-27.1 vlc-qt-2.2.4-27.1 libvlc5-2.2.4-27.1 as a component of openSUSE Leap 42.1 libvlccore8-2.2.4-27.1 as a component of openSUSE Leap 42.1 vlc-2.2.4-27.1 as a component of openSUSE Leap 42.1 vlc-devel-2.2.4-27.1 as a component of openSUSE Leap 42.1 vlc-noX-2.2.4-27.1 as a component of openSUSE Leap 42.1 vlc-noX-lang-2.2.4-27.1 as a component of openSUSE Leap 42.1 vlc-qt-2.2.4-27.1 as a component of openSUSE Leap 42.1 The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read. CVE-2015-7981 openSUSE Leap 42.1:libvlc5-2.2.4-27.1 openSUSE Leap 42.1:libvlccore8-2.2.4-27.1 openSUSE Leap 42.1:vlc-2.2.4-27.1 openSUSE Leap 42.1:vlc-devel-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-lang-2.2.4-27.1 openSUSE Leap 42.1:vlc-qt-2.2.4-27.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00046.html https://www.suse.com/security/cve/CVE-2015-7981.html CVE-2015-7981 https://bugzilla.suse.com/952051 SUSE Bug 952051 https://bugzilla.suse.com/960402 SUSE Bug 960402 https://bugzilla.suse.com/963937 SUSE Bug 963937 Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. CVE-2015-8126 openSUSE Leap 42.1:libvlc5-2.2.4-27.1 openSUSE Leap 42.1:libvlccore8-2.2.4-27.1 openSUSE Leap 42.1:vlc-2.2.4-27.1 openSUSE Leap 42.1:vlc-devel-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-lang-2.2.4-27.1 openSUSE Leap 42.1:vlc-qt-2.2.4-27.1 moderate 4.3 AV:L/AC:L/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00046.html https://www.suse.com/security/cve/CVE-2015-8126.html CVE-2015-8126 https://bugzilla.suse.com/954980 SUSE Bug 954980 https://bugzilla.suse.com/958198 SUSE Bug 958198 https://bugzilla.suse.com/960402 SUSE Bug 960402 https://bugzilla.suse.com/962743 SUSE Bug 962743 https://bugzilla.suse.com/963937 SUSE Bug 963937 https://bugzilla.suse.com/969333 SUSE Bug 969333 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-8790. Reason: This candidate is a reservation duplicate of CVE-2015-8790. Notes: All CVE users should reference CVE-2015-8790 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2016-1514 openSUSE Leap 42.1:libvlc5-2.2.4-27.1 openSUSE Leap 42.1:libvlccore8-2.2.4-27.1 openSUSE Leap 42.1:vlc-2.2.4-27.1 openSUSE Leap 42.1:vlc-devel-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-lang-2.2.4-27.1 openSUSE Leap 42.1:vlc-qt-2.2.4-27.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00046.html https://www.suse.com/security/cve/CVE-2016-1514.html CVE-2016-1514 https://bugzilla.suse.com/964396 SUSE Bug 964396 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-8789. Reason: This candidate is a reservation duplicate of CVE-2015-8789. Notes: All CVE users should reference CVE-2015-8789 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2016-1515 openSUSE Leap 42.1:libvlc5-2.2.4-27.1 openSUSE Leap 42.1:libvlccore8-2.2.4-27.1 openSUSE Leap 42.1:vlc-2.2.4-27.1 openSUSE Leap 42.1:vlc-devel-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-lang-2.2.4-27.1 openSUSE Leap 42.1:vlc-qt-2.2.4-27.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00046.html https://www.suse.com/security/cve/CVE-2016-1515.html CVE-2016-1515 https://bugzilla.suse.com/964395 SUSE Bug 964395 Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file. CVE-2016-5108 openSUSE Leap 42.1:libvlc5-2.2.4-27.1 openSUSE Leap 42.1:libvlccore8-2.2.4-27.1 openSUSE Leap 42.1:vlc-2.2.4-27.1 openSUSE Leap 42.1:vlc-devel-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-2.2.4-27.1 openSUSE Leap 42.1:vlc-noX-lang-2.2.4-27.1 openSUSE Leap 42.1:vlc-qt-2.2.4-27.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00046.html https://www.suse.com/security/cve/CVE-2016-5108.html CVE-2016-5108 https://bugzilla.suse.com/984382 SUSE Bug 984382