You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa vlc

Sigurnosni nedostaci programskog paketa vlc

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for vlc

Announcement ID: openSUSE-SU-2020:0545-1
Rating: moderate
References: #1142161 #1146428
Cross-References: CVE-2019-13602 CVE-2019-13962 CVE-2019-14437
CVE-2019-14438 CVE-2019-14498 CVE-2019-14533
CVE-2019-14534 CVE-2019-14535 CVE-2019-14776
CVE-2019-14777 CVE-2019-14778 CVE-2019-14970

Affected Products:
openSUSE Leap 15.1

An update that fixes 12 vulnerabilities is now available.


This update for vlc fixes the following issues:

vlc was updated to version

+ Misc: Properly bump the version in

Changes from version

+ Misc: Fix VLSub returning 401 for earch request.

Changes from version 3.0.9:

+ Core: Work around busy looping when playing an invalid item through VLM.
+ Access:
* Multiple dvdread and dvdnav crashs fixes
* Fixed DVD glitches on clip change
* Fixed dvdread commands/data sequence inversion in some cases causing
unwanted glitches
* Better handling of authored as corrupted DVD
* Added libsmb2 support for SMB2/3 shares
+ Demux:
* Fix TTML entities not passed to decoder
* Fixed some WebVTT styling tags being not applied
* Misc raw H264/HEVC frame rate fixes
* Fix adaptive regression on TS format change (mostly HLS)
* Fixed MP4 regression with twos/sowt PCM audio
* Fixed some MP4 raw quicktime and ms-PCM audio
* Fixed MP4 interlacing handling
* Multiple adaptive stack (DASH/HLS/Smooth) fixes
* Enabled Live seeking for HLS
* Fixed seeking in some cases for HLS
* Improved Live playback for Smooth and DASH
* Fixed adaptive unwanted end of stream in some cases
* Faster adaptive start and new buffering control options
+ Packetizers:
* Fixes H264/HEVC incomplete draining in some cases
* packetizer_helper: Fix potential trailing junk on last packet
* Added missing drain in packetizers that was causing missing last frame
or audio
* Improved check to prevent fLAC synchronization drops
+ Decoder:
* avcodec: revector video decoder to fix incomplete drain
* spudec: implemented palette updates, fixing missing subtitles
on some DVD
* Fixed WebVTT CSS styling not being applied on Windows/macOS
* Fixed Hebrew teletext pages support in zvbi
* Fixed Dav1d aborting decoding on corrupted picture
* Extract and display of all CEA708 subtitles
* Update libfaad to 2.9.1
* Add DXVA support for VP9 Profile 2 (10 bits)
* Mediacodec aspect ratio with Amazon devices
+ Audio output:
* Added support for iOS audiounit audio above 48KHz
* Added support for amem audio up to 384KHz
+ Video output:
* Fix for opengl glitches in some drivers
* Fix GMA950 opengl support on macOS
* YUV to RGB StretchRect fixes with NVIDIA drivers
* Use libpacebo new tone mapping desaturation algorithm
+ Text renderer:
* Fix crashes on macOS with SSA/ASS subtitles containing emoji
* Fixed unwanted growing background in Freetype rendering and Y padding
+ Mux: Fixed some YUV mappings
+ Service Discovery: Update libmicrodns to 0.1.2.
+ Misc:
* Update YouTube, SoundCloud and Vocaroo scripts: this restores playback
of YouTube URLs.
* Add missing .wpl & .zpl file associations on Windows
* Improved chromecast audio quality

Update to version 3.0.8 ‘vetinari’:

+ Fix stuttering for low framerate videos
+ Improve adaptive streaming
+ Improve audio output for external audio devices on macOS/iOS
+ Fix hardware acceleration with Direct3D11 for some AMD drivers
+ Fix WebVTT subtitles rendering
+ Vetinari is a major release changing a lot in the media engine of VLC.
It is one of the largest release we’ve ever done. Notably, it:
– activates hardware decoding on all platforms, of H.264 & H.265, 8 &
10bits, allowing 4K60 or even 8K decoding with little CPU consumption,
– merges all the code from the mobile ports into the same codebase with
common numbering and releases,
– supports 360 video and 3D audio, and prepares for VR content,
– supports direct HDR and HDR tone-mapping,
– updates the audio passthrough for HD Audio codecs,
– allows browsing of local network drives like SMB, FTP, SFTP, NFS…
– stores the passwords securely,
– brings a new subtitle rendering engine, supporting ComplexTextLayout
and font fallback to support multiple languages and fonts,
– supports ChromeCast with the new renderer framework,
– adds support for numerous new formats and codecs, including WebVTT,
AV1, TTML, HQX, 708, Cineform, and many more,
– improves Bluray support with Java menus, aka BD-J,
– updates the macOS interface with major cleaning and improvements,
– support HiDPI UI on Windows, with the switch to Qt5,
– prepares the experimental support for Wayland on Linux, and switches
to OpenGL by default on Linux.
+ Security fixes included:
* Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
* Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
* Fix a read buffer overflow in the FAAD decoder
* Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437,
* Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
* Fix a use after free in the MKV demuxer (CVE-2019-14777,
* Fix a use after free in the ASF demuxer (CVE-2019-14533)
* Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
* Fix a null dereference in the dvdnav demuxer
* Fix a null dereference in the ASF demuxer (CVE-2019-14534)
* Fix a null dereference in the AVI demuxer
* Fix a division by zero in the CAF demuxer (CVE-2019-14498)
* Fix a division by zero in the ASF demuxer (CVE-2019-14535)
– Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet

– Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around
some image loading libraries (libpng, libjpeg, …) which are either
wrapped by vlc itself ( or via libavcodec

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2020-545=1

Package List:

– openSUSE Leap 15.1 (noarch):


– openSUSE Leap 15.1 (x86_64):



To unsubscribe, e-mail:
For additional commands, e-mail:

AutorVlatka Misic
Cert idNCERT-REF-2020-04-0001-ADV
More in Preporuke
Sigurnosni nedostaci jezgre operacijskog sustava

Otkriveni su sigurnosni nedostaci u jezgri operacijskog sustava openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju rušenje servisa, stjecanje uvećanih ovlasti ili...