VLC 3.0.7 has been released on June 6:
As the NEWS shows, it fixes a ton of security issues, detailed more here:
which points out that some of the issues are actually in faad2, a separate library package. Someone on another distro security team highlighted these commits with changes to faad2:
and a PoC for a faad2 issue (presumably fixed above) given CVE-2019-6956:
Assigning to our registered VLC maintainer, CC'ing some submitters.
geiger.david68210, lists.jjorge, marja11, nicolas.salguero, smelrorAssignee:
VLC 188.8.131.52 has been released on June 12, fixing a couple of bugs, and updating the bundled (we'll have to update the system one) libbluray to 1.1.2.
There are some updates in updates_testing.
Yes, please update the two packages in Comment 2 and then ask for everything to be moved to release, otherwise we can't do anything with Mageia 6.
Cauldron packages moved
MGA7TOO, MGA6TOO =>
Assigning to qa for testing.
vlc is in madb but we need a package list.
As far as I can make out the POC test confirms that the faad2 issue has been fixed already.
Have installed all the tainted updates to vlc but now awaiting further information. Shall test free version on another machine.
This isn't ready for QA. vlc-184.108.40.206-1.mga6.src.rpm has been built, but neither the libbluray or faad2 updates are available.
faad2 is only in tainted and vlc is in both core and tainted.
Testing tainted versions on mga6, x86_64.
$ rpm -qa | grep faad2
$ faad global-buffer-overflow@ps_mix_phase
global-buffer-overflow@ps_mix_phase file info:
ADTS, 12.416 sec, 37 kbps, 48000 Hz
| Config: 2 Ch |
| Ch | Position |
| 00 | Left front |
| 01 | Right front |
Decoding global-buffer-overflow@ps_mix_phase took: 0.05 sec. 247.35x real-time.
The upstream test under the asan framework aborts which probably confirms that faad has
already been fixed.
The PoC returned exactly the same result, which seems to confirm the earlier conclusion.
vlc worked fine with svlc for MP3, MP4, MOV, and container formats like M4V and MKV, also WMV, AVI, ts and m2t. Tested it with a free-to-air TV feed and video streamed over the network. Subtitles working. No problems with sound or vision. Fullscreen, positioning controls, track skipping, speed control, pause and continue, reversing, snapshots, playlists... everything working as
expected. Played audio CD and commercial DVD.
No idea how to test the bluray libraries - no free bluray discs if such things exist. There was some such project a while ago. Ubuntu has bluray support for vlc which needs libaacs0 for older blurays, libbluray-bdj and libbluray1 but my drive is DVD only.
Tainted updates good for 64-bits.
Installed the free vlc packages and updated all of them. Played various audio and audio/video files. Checked the functions provided by the interface. TV channels in SD and HD. Audio CDs played fine and non-commercial DVDs (BBC).
Good for 64-bits.
Sounds like a thorough test to me, Len. I'm going to give it a 32-bit OK based on a clean install in a vbox guest.
Validating. Needs advisory information if that in Comment 0 is insufficient.
An update for this issue has been pushed to the Mageia Updates repository.
This update fixed CVE-2019-5439 in VLC:
This update also fixed CVE-2019-12874 in VLC: