VLC 2.2.5.1 has been released on May 11: https://www.videolan.org/vlc/releases/2.2.5.html Most of the fixes only affect Windows, but it does have "Various security improvements in demuxers and decoders," so we might want to update it for Mageia 5.
I have built a package for core 5 / updates_testing but didn't test it locally. Perhaps I should litmus test it on a VM and assign it to QA. We also need a package for tainted.
(In reply to Shlomi Fish from comment #1) > I have built a package for core 5 / updates_testing but didn't test it > locally. Perhaps I should litmus test it on a VM and assign it to QA. We > also need a package for tainted. Tested fine in a VBox VM - assigning to QA.
Assignee: shlomif => qa-bugs
Thanks Shlomi! Advisory: ======================== The VLC packages have been updated to version 2.2.5.1, which includes various security improvements in demuxers and decoders, as well as other bug fixes. References: https://www.videolan.org/vlc/releases/2.2.5.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== vlc-2.2.5.1-1.mga5 libvlc5-2.2.5.1-1.mga5 libvlccore8-2.2.5.1-1.mga5 libvlc-devel-2.2.5.1-1.mga5 vlc-plugin-common-2.2.5.1-1.mga5 vlc-plugin-zvbi-2.2.5.1-1.mga5 vlc-plugin-kate-2.2.5.1-1.mga5 vlc-plugin-libass-2.2.5.1-1.mga5 vlc-plugin-lua-2.2.5.1-1.mga5 vlc-plugin-ncurses-2.2.5.1-1.mga5 vlc-plugin-lirc-2.2.5.1-1.mga5 svlc-2.2.5.1-1.mga5 vlc-plugin-aa-2.2.5.1-1.mga5 vlc-plugin-sdl-2.2.5.1-1.mga5 vlc-plugin-shout-2.2.5.1-1.mga5 vlc-plugin-opengl-2.2.5.1-1.mga5 vlc-plugin-vdpau-2.2.5.1-1.mga5 vlc-plugin-projectm-2.2.5.1-1.mga5 vlc-plugin-theora-2.2.5.1-1.mga5 vlc-plugin-twolame-2.2.5.1-1.mga5 vlc-plugin-fluidsynth-2.2.5.1-1.mga5 vlc-plugin-gme-2.2.5.1-1.mga5 vlc-plugin-schroedinger-2.2.5.1-1.mga5 vlc-plugin-speex-2.2.5.1-1.mga5 vlc-plugin-flac-2.2.5.1-1.mga5 vlc-plugin-dv-2.2.5.1-1.mga5 vlc-plugin-mod-2.2.5.1-1.mga5 vlc-plugin-mpc-2.2.5.1-1.mga5 vlc-plugin-sid-2.2.5.1-1.mga5 vlc-plugin-pulse-2.2.5.1-1.mga5 vlc-plugin-jack-2.2.5.1-1.mga5 vlc-plugin-bonjour-2.2.5.1-1.mga5 vlc-plugin-upnp-2.2.5.1-1.mga5 vlc-plugin-gnutls-2.2.5.1-1.mga5 vlc-plugin-libnotify-2.2.5.1-1.mga5 vlc-plugin-chromaprint-2.2.5.1-1.mga5 from vlc-2.2.5.1-1.mga5.src.rpm
Tested this for x86_64 on real hardware. Installed any plugins which were missing then updated all the packages on the list from Tainted Updates Testing. Ran skinned vlc from the commandline to check various sound and video formats and container formats: mov, mp3, mp4, mkv, m2t, ogg, flac, wav, swf All played fine, sound and vision. Subtitles weere displayed where specified and NFS shares played across the network. Played Youtube videos from the commandline and by using the UpnP service via the Open File -> Network menu. Skins work courtesy of svlc. DVDs however could not be played (this is the case for all players on this machine so there may be something missing). These subsidiary libraries were already installed lib64dvdcss2-1.3.0-3.mga5.tainted lib64dvdread4-5.0.2-1.mga5 lib64dvdnav4-5.0.3-1.mga5 Tried commandline invocation $ vlc dvd://1 and using the Disc menu internally; Disc -> DVD, Title = 1 "Your input can't be opened: VLC is unable to open the MRL 'dvd:///dev/sr0#1:1'. Check the log for details." Terminal output: libGL error: No matching fbConfigs or visuals found libGL error: failed to load driver: swrast libdvdnav: Using dvdnav version 5.0.3 libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed libdvdread: Can't open file VIDEO_TS.IFO. libdvdnav: vm: failed to read VIDEO_TS.IFO libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed libdvdread: Can't open file VIDEO_TS.BUP. [00007f2c8c001238] core input error: open of `dvd:///dev/sr0#1:1' failed
CC: (none) => tarazed25
$ cvlc dvd://1 VLC media player 2.2.5.1 Umbrella (revision 2.2.5.1-14-g05b653355c) [0000000001f195f8] upnp services discovery: Initializing libupnp on '(null)' interface [0000000001f26948] dummy interface: using the dummy interface module... libdvdnav: Using dvdnav version 5.0.3 libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed libdvdread: Can't open file VIDEO_TS.IFO. libdvdnav: vm: failed to read VIDEO_TS.IFO libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed libdvdread: Can't open file VIDEO_TS.BUP. [00007f9d700009b8] core input error: open of `dvd://1' failed [00007f9d700009b8] core input error: Your input can't be opened [00007f9d700009b8] core input error: VLC is unable to open the MRL 'dvd://1'. Check the log for details.
So, it was a bad disk. Tried a later commercial disk and there were no problems playing, with sound, with subtitles, fullscreen, keyboard zoom function, ... Passing this for 64-bits.
Tested for i586 in virtualbox. Tainted packages installed and then updated. Ran cvlc and vlc from the command line against various audio format files and videos. All working OK - sound via host interface. Launched vlc and added a skin and relaunched it. Used Open File -> Network to specify a Youtube URL and streamed the video. Working fine. Used Machine Settings menu to attach the host DVD/CDROM device to the IDE controller. Open File -> Disc to select the DVD and played it OK with sound and subtitles. This looks OK for 32-bits. The free version needs to be tested on both architectures before this can be validated. Any volunteers? If not I shall try this on another system and not enable tainted media sources. Waiting for a while in case anybody responds.
More details on the security fixes are in this article: http://news.softpedia.com/news/vlc-media-player-2-2-5-improves-video-scaling-in-vdpau-mp3-playback-and-more-515657.shtml
In VirtualBox, M5, KDE, 32-bit Package(s) under test: vlc svlc libvlc5 libvlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora default install of vlc svlc libvlc5 libvlccore8 vlc-plugin-common vlc-plugin-pulse & vlc-plugin-theora [root@localhost wilcal]# uname -a Linux localhost.localdomain 4.4.65-desktop586-1.mga5 [root@localhost wilcal]# urpmi vlc Package vlc-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlc5 Package libvlc5-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlccore8 Package libvlccore8-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.4-1.mga5.tainted.i586 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv Install: vlc svlc libvlc5 libvlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora from updates-testing [root@localhost wilcal]# urpmi vlc Package vlc-2.2.5.1-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.5.1-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlc5 Package libvlc5-2.2.5.1-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlccore8 Package libvlccore8-2.2.5.1-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.5.1-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.5.1-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.5.1-1.mga5.tainted.i586 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv
CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: vlc svlc libvlc5 libvlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora default install of vlc svlc lib64vlc5 lib64vlccore8 vlc-plugin-common vlc-plugin-pulse & vlc-plugin-theora [root@localhost wilcal]# uname -a Linux localhost.localdomain 4.4.65-desktop-1.mga5 [root@localhost wilcal]# urpmi vlc Package vlc-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlc5 Package lib64vlc5-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlccore8 Package lib64vlccore8-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.4-1.mga5.tainted.x86_64 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv Install: vlc svlc lib64vlc5 lib64vlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora from updates-testing [root@localhost wilcal]# urpmi vlc Package vlc-2.2.5.1-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.5.1-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlc5 Package lib64vlc5-2.2.5.1-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlccore8 Package lib64vlccore8-2.2.5.1-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.5.1-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.5.1-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.5.1-1.mga5.tainted.x86_64 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
For me this update works fine. I will validate this in 24-hours unless someone finds and issue.
@wilcal comment 11. No time to check untainted version so go ahead and validate.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0144.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Apparently some of the issues fixed in 2.2.5.1 specifically are the widely publicized subtitle flaws, which have CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313 according to this article: http://www.eweek.com/security/check-point-discovers-media-subtitle-vulnerability-impacting-millions
According to the updated NEWS file, 2.2.5.1 fixed CVE-2017-9300 and CVE-2017-9301: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=blob;f=NEWS;h=d9b31b4e5362c7d764f3e6b23b78aaeb0b8bf868;hb=3cc1d8cba982fc988c2a421e42408bb05d1ba37f