Security update for vlc (moderate)

An update that fixes 12 vulnerabilities is now available.

Description:

This update for vlc fixes the following issues:

vlc was updated to version 3.0.9.2:

• Misc: Properly bump the version in configure.ac.

Changes from version 3.0.9.1:

• Misc: Fix VLSub returning 401 for earch request.

Changes from version 3.0.9:

• Core: Work around busy looping when playing an invalid item through VLM.
• Access:
  • Multiple dvdread and dvdnav crashs fixes
  • Fixed DVD glitches on clip change
  • Fixed dvdread commands/data sequence inversion in some cases causing
    unwanted glitches
  • Better handling of authored as corrupted DVD
  • Added libsmb2 support for SMB2/3 shares
• Demux:
  • Fix TTML entities not passed to decoder
  • Fixed some WebVTT styling tags being not applied
  • Misc raw H264/HEVC frame rate fixes
  • Fix adaptive regression on TS format change (mostly HLS)
  • Fixed MP4 regression with twos/sowt PCM audio
  • Fixed some MP4 raw quicktime and ms-PCM audio
  • Fixed MP4 interlacing handling
  • Multiple adaptive stack (DASH/HLS/Smooth) fixes
  • Enabled Live seeking for HLS
  • Fixed seeking in some cases for HLS
  • Improved Live playback for Smooth and DASH
  • Fixed adaptive unwanted end of stream in some cases
  • Faster adaptive start and new buffering control options
• Packetizers:
  • Fixes H264/HEVC incomplete draining in some cases
  • packetizer_helper: Fix potential trailing junk on last packet
  • Added missing drain in packetizers that was causing missing last frame
    or audio
  • Improved check to prevent fLAC synchronization drops
• Decoder:
  • avcodec: revector video decoder to fix incomplete drain
  • spudec: implemented palette updates, fixing missing subtitles
    on some DVD
  • Fixed WebVTT CSS styling not being applied on Windows/macOS
  • Fixed Hebrew teletext pages support in zvbi
  • Fixed Dav1d aborting decoding on corrupted picture
  • Extract and display of all CEA708 subtitles
  • Update libfaad to 2.9.1
  • Add DXVA support for VP9 Profile 2 (10 bits)
  • Mediacodec aspect ratio with Amazon devices
• Audio output:
  • Added support for iOS audiounit audio above 48KHz
  • Added support for amem audio up to 384KHz
• Video output:
  • Fix for opengl glitches in some drivers
  • Fix GMA950 opengl support on macOS
  • YUV to RGB StretchRect fixes with NVIDIA drivers
  • Use libpacebo new tone mapping desaturation algorithm
• Text renderer:
  • Fix crashes on macOS with SSA/ASS subtitles containing emoji
  • Fixed unwanted growing background in Freetype rendering and Y padding
• Mux: Fixed some YUV mappings
• Service Discovery: Update libmicrodns to 0.1.2.
• Misc:
  • Update YouTube, SoundCloud and Vocaroo scripts: this restores playback
    of YouTube URLs.
  • Add missing .wpl & .zpl file associations on Windows
  • Improved chromecast audio quality

Update to version 3.0.8 ‘vetinari’:

• Fix stuttering for low framerate videos
• Improve adaptive streaming
• Improve audio output for external audio devices on macOS/iOS
• Fix hardware acceleration with Direct3D11 for some AMD drivers
• Fix WebVTT subtitles rendering
• Vetinari is a major release changing a lot in the media engine of VLC.
  It is one of the largest release we’ve ever done. Notably, it:
  • activates hardware decoding on all platforms, of H.264 & H.265, 8 &
    10bits, allowing 4K60 or even 8K decoding with little CPU consumption,
  • merges all the code from the mobile ports into the same codebase with
    common numbering and releases,
  • supports 360 video and 3D audio, and prepares for VR content,
  • supports direct HDR and HDR tone-mapping,
  • updates the audio passthrough for HD Audio codecs,
  • allows browsing of local network drives like SMB, FTP, SFTP, NFS…
  • stores the passwords securely,
  • brings a new subtitle rendering engine, supporting ComplexTextLayout
    and font fallback to support multiple languages and fonts,
  • supports ChromeCast with the new renderer framework,
  • adds support for numerous new formats and codecs, including WebVTT,
    AV1, TTML, HQX, 708, Cineform, and many more,
  • improves Bluray support with Java menus, aka BD-J,
  • updates the macOS interface with major cleaning and improvements,
  • support HiDPI UI on Windows, with the switch to Qt5,
  • prepares the experimental support for Wayland on Linux, and switches
    to OpenGL by default on Linux.
• Security fixes included:
  • Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
  • Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
  • Fix a read buffer overflow in the FAAD decoder
  • Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437,
    CVE-2019-14438)
  • Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
  • Fix a use after free in the MKV demuxer (CVE-2019-14777,
    CVE-2019-14778)
  • Fix a use after free in the ASF demuxer (CVE-2019-14533)
  • Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
  • Fix a null dereference in the dvdnav demuxer
  • Fix a null dereference in the ASF demuxer (CVE-2019-14534)
  • Fix a null dereference in the AVI demuxer
  • Fix a division by zero in the CAF demuxer (CVE-2019-14498)
  • Fix a division by zero in the ASF demuxer (CVE-2019-14535)

• Disbale mod-plug for the time being: libmodplug 0.8.9 is not yet
  available.

• Disable SDL_image (SDL 1.2) based codec. It is only a wrapper around
  some image loading libraries (libpng, libjpeg, …) which are either
  wrapped by vlc itself (libpng_plugin.so) or via libavcodec
  (libavcodec_plugin.so).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.1:

  zypper in -t patch openSUSE-2020-545=1