The main VLC page proclaims 3.0.13, but the download bit says "Version 3.0.14  •  Linux".
We already have version 3.0.13 in Cauldron thanks to Stig, so assigning this bug to you.

Assignee: bugsquad => smelror

Pushed 3.0.14 to Cauldron.

Depends on: (none) => 28278

Updated packages uploaded to core *and tainted* updates_testing.

SRPMS:
vlc-3.0.14-1.mga7.src.rpm
vlc-3.0.14-1.mga8.src.rpm

RPMS:
vlc-3.0.14-1.mga7
libvlc5-3.0.14-1.mga7
libvlccore9-3.0.14-1.mga7
libvlc-devel-3.0.14-1.mga7
vlc-plugin-common-3.0.14-1.mga7
vlc-plugin-zvbi-3.0.14-1.mga7
vlc-plugin-kate-3.0.14-1.mga7
vlc-plugin-libass-3.0.14-1.mga7
vlc-plugin-lua-3.0.14-1.mga7
vlc-plugin-ncurses-3.0.14-1.mga7
vlc-plugin-lirc-3.0.14-1.mga7
svlc-3.0.14-1.mga7
vlc-plugin-aa-3.0.14-1.mga7
vlc-plugin-sdl-3.0.14-1.mga7
vlc-plugin-shout-3.0.14-1.mga7
vlc-plugin-opengl-3.0.14-1.mga7
vlc-plugin-vdpau-3.0.14-1.mga7
vlc-plugin-projectm-3.0.14-1.mga7
vlc-plugin-theora-3.0.14-1.mga7
vlc-plugin-twolame-3.0.14-1.mga7
vlc-plugin-fluidsynth-3.0.14-1.mga7
vlc-plugin-gme-3.0.14-1.mga7
vlc-plugin-schroedinger-3.0.14-1.mga7
vlc-plugin-speex-3.0.14-1.mga7
vlc-plugin-flac-3.0.14-1.mga7
vlc-plugin-dv-3.0.14-1.mga7
vlc-plugin-mod-3.0.14-1.mga7
vlc-plugin-mpc-3.0.14-1.mga7
vlc-plugin-sid-3.0.14-1.mga7
vlc-plugin-sndio-3.0.14-1.mga7
vlc-plugin-pulse-3.0.14-1.mga7
vlc-plugin-jack-3.0.14-1.mga7
vlc-plugin-rist-3.0.14-1.mga7
vlc-plugin-upnp-3.0.14-1.mga7
vlc-plugin-gnutls-3.0.14-1.mga7
vlc-plugin-libnotify-3.0.14-1.mga7
vlc-plugin-chromaprint-3.0.14-1.mga7
vlc-plugin-samba-3.0.14-1.mga7
vlc-3.0.14-1.mga8
vlc-plugin-common-3.0.14-1.mga8
svlc-3.0.14-1.mga8
libvlccore9-3.0.14-1.mga8
libvlc-devel-3.0.14-1.mga8
vlc-plugin-lua-3.0.14-1.mga8
libvlc5-3.0.14-1.mga8
vlc-plugin-vdpau-3.0.14-1.mga8
vlc-plugin-opengl-3.0.14-1.mga8
vlc-plugin-flac-3.0.14-1.mga8
vlc-plugin-rist-3.0.14-1.mga8
vlc-plugin-ncurses-3.0.14-1.mga8
vlc-plugin-upnp-3.0.14-1.mga8
vlc-plugin-schroedinger-3.0.14-1.mga8
vlc-plugin-kate-3.0.14-1.mga8
vlc-plugin-jack-3.0.14-1.mga8
vlc-plugin-pulse-3.0.14-1.mga8
vlc-plugin-speex-3.0.14-1.mga8
vlc-plugin-theora-3.0.14-1.mga8
vlc-plugin-zvbi-3.0.14-1.mga8
vlc-plugin-gnutls-3.0.14-1.mga8
vlc-plugin-libass-3.0.14-1.mga8
vlc-plugin-shout-3.0.14-1.mga8
vlc-plugin-dv-3.0.14-1.mga8
vlc-plugin-mod-3.0.14-1.mga8
vlc-plugin-twolame-3.0.14-1.mga8
vlc-plugin-gme-3.0.14-1.mga8
vlc-plugin-fluidsynth-3.0.14-1.mga8
vlc-plugin-projectm-3.0.14-1.mga8
vlc-plugin-samba-3.0.14-1.mga8
vlc-plugin-sdl-3.0.14-1.mga8
vlc-plugin-lirc-3.0.14-1.mga8
vlc-plugin-aa-3.0.14-1.mga8
vlc-plugin-sndio-3.0.14-1.mga8
vlc-plugin-libnotify-3.0.14-1.mga8
vlc-plugin-mpc-3.0.14-1.mga8
vlc-plugin-chromaprint-3.0.14-1.mga8
vlc-plugin-sid-3.0.14-1.mga8

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Assignee: smelror => qa-bugs

MGA8 - 64 bit

The following 33 packages are going to be installed:

- fonts-ttf-bitstream-vera-1.10-18.mga8.noarch
- lib64aribb25_0-0.2.7-1.mga8.x86_64
- lib64cddb2-1.3.2-21.mga8.x86_64
- lib64crystalhd3-0-0.20110315.13.mga8.x86_64
- lib64dbus-devel-1.13.18-3.mga8.x86_64
- lib64dvbpsi10-1.3.3-2.mga8.x86_64
- lib64ebml5-1.4.1-1.mga8.x86_64
- lib64matroska7-1.6.2-1.mga8.x86_64
- lib64pcsclite1-1.9.0-1.mga8.x86_64
- lib64protobuf-lite25-3.14.0-1.mga8.x86_64
- lib64vlc-devel-3.0.14-1.mga8.x86_64
- lib64vlc5-3.0.14-1.mga8.x86_64
- lib64vlccore9-3.0.14-1.mga8.x86_64
- lib64xcb-composite0-1.14-1.mga8.x86_64
- lib64xcb-xv0-1.14-1.mga8.x86_64
- libcrystalhd-common-0-0.20110315.13.mga8.x86_64
- svlc-3.0.14-1.mga8.x86_64
- systemd-devel-246.13-2.mga8.x86_64
- vlc-3.0.14-1.mga8.x86_64
- vlc-plugin-aa-3.0.14-1.mga8.x86_64
- vlc-plugin-chromaprint-3.0.14-1.mga8.x86_64
- vlc-plugin-common-3.0.14-1.mga8.x86_64
- vlc-plugin-dv-3.0.14-1.mga8.x86_64
- vlc-plugin-flac-3.0.14-1.mga8.x86_64
- vlc-plugin-fluidsynth-3.0.14-1.mga8.x86_64
- vlc-plugin-gme-3.0.14-1.mga8.x86_64
- vlc-plugin-gnutls-3.0.14-1.mga8.x86_64
- vlc-plugin-lua-3.0.14-1.mga8.x86_64
- vlc-plugin-opengl-3.0.14-1.mga8.x86_64
- vlc-plugin-pulse-3.0.14-1.mga8.x86_64
- vlc-plugin-samba-3.0.14-1.mga8.x86_64
- vlc-plugin-theora-3.0.14-1.mga8.x86_64
- vlc-plugin-vdpau-3.0.14-1.mga8.x86_64

62MB of additional disk space will be used.

Played flac and Mp4 video working so far.

CC: (none) => brtians1

Installed and tested tainted version without issues.


Tested:
- Various file formats and codecs;
- Video, audio and image;
- Tested local files, http(s), rtsp (IP camera);
- Tested UPNP/DLNA from media server mediadlnad;
- Tested application/screen capture;
- Tested video decoding VDPAU hardware acceleration.

All worked.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.


$ uname -a
Linux marte 5.10.41-desktop-1.mga7 #1 SMP Fri May 28 14:28:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -i vlc | sort
lib64vlc5-3.0.14-1.mga7.tainted
lib64vlccore9-3.0.14-1.mga7.tainted
phonon4qt5-vlc-0.10.2-2.mga7
vlc-3.0.14-1.mga7.tainted
vlc-plugin-common-3.0.14-1.mga7.tainted
vlc-plugin-flac-3.0.14-1.mga7.tainted
vlc-plugin-gnutls-3.0.14-1.mga7.tainted
vlc-plugin-libass-3.0.14-1.mga7.tainted
vlc-plugin-lua-3.0.14-1.mga7.tainted
vlc-plugin-projectm-3.0.14-1.mga7.tainted
vlc-plugin-pulse-3.0.14-1.mga7.tainted
vlc-plugin-samba-3.0.14-1.mga7.tainted
vlc-plugin-speex-3.0.14-1.mga7.tainted
vlc-plugin-theora-3.0.14-1.mga7.tainted
vlc-plugin-upnp-3.0.14-1.mga7.tainted
vlc-plugin-vdpau-3.0.14-1.mga7.tainted

CC: (none) => mageia

Comment 5 tested the mga7 tainted version. Testing the mga7 core version, and the packages of Bug 28278:

The following 11 packages are going to be installed:

- lib64ebml5-1.4.2-1.mga7.x86_64
- lib64matroska6-1.5.0-2.1.mga7.x86_64
- lib64vlc5-3.0.14-1.mga7.x86_64
- lib64vlccore9-3.0.14-1.mga7.x86_64
- vlc-3.0.14-1.mga7.x86_64
- vlc-plugin-common-3.0.14-1.mga7.x86_64
- vlc-plugin-flac-3.0.14-1.mga7.x86_64
- vlc-plugin-pulse-3.0.14-1.mga7.x86_64
- vlc-plugin-speex-3.0.14-1.mga7.x86_64
- vlc-plugin-theora-3.0.14-1.mga7.x86_64
- vlc-plugin-vdpau-3.0.14-1.mga7.x86_64

No installation issues. Played .mp4, .avi, .mkv files, no issues noted. Giving this a mga7 OK.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => andrewsfarm

Comment 4 tested the mga8 core version. Testing the mga8 tainted version:

The following 12 packages are going to be installed:

- lib64vlc5-3.0.14-1.mga8.tainted.x86_64
- lib64vlccore9-3.0.14-1.mga8.tainted.x86_64
- vlc-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-common-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-flac-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-lua-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-opengl-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-pulse-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-samba-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-speex-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-theora-3.0.14-1.mga8.tainted.x86_64
- vlc-plugin-vdpau-3.0.14-1.mga8.tainted.x86_64

No installation issues. Played another selection of videos, including some of Field of Dreams (If you build it, He will come.)

No issues noted. Giving this a mga8 OK, and validating.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA9-64-OK
CC: (none) => sysadmin-bugs

oops. typo.

Whiteboard: MGA7TOO MGA7-64-OK MGA9-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Advisory:
========================

Updated vlc packages fix security vulnerabilities:

A remote user could create a specifically crafted file that could trigger some various issues.

It is possible to trigger a remote code execution through a specifically crafted playlist, and tricking the user into interacting with that playlist elements.

It is also possible to trigger read or write buffer overflows with some crafted files or by a MITM attack on the automatic updater

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

We updated VLC to latest version available.

References:
- https://bugs.mageia.org/show_bug.cgi?id=28930
- https://www.videolan.org/security/sb-vlc3013.html
- https://www.videolan.org/vlc/releases/3.0.13.html
- https://code.videolan.org/videolan/vlc-3.0/-/raw/master/NEWS
- https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=e5dd1855e797179ec3a0bee2cae4ac68705a70cc;hb=41878ff4f2a4b566cf0a1bd15f72037b2be98a18
========================

Updated packages in 8/core/updates_testing:
========================
lib(64)vlc-devel-3.0.14-1.mga8
lib(64)vlc5-3.0.14-1.mga8
lib(64)vlccore9-3.0.14-1.mga8
svlc-3.0.14-1.mga8
vlc-3.0.14-1.mga8
vlc-plugin-aa-3.0.14-1.mga8
vlc-plugin-chromaprint-3.0.14-1.mga8
vlc-plugin-common-3.0.14-1.mga8
vlc-plugin-dv-3.0.14-1.mga8
vlc-plugin-flac-3.0.14-1.mga8
vlc-plugin-fluidsynth-3.0.14-1.mga8
vlc-plugin-gme-3.0.14-1.mga8
vlc-plugin-gnutls-3.0.14-1.mga8
vlc-plugin-jack-3.0.14-1.mga8
vlc-plugin-kate-3.0.14-1.mga8
vlc-plugin-libass-3.0.14-1.mga8
vlc-plugin-libnotify-3.0.14-1.mga8
vlc-plugin-lirc-3.0.14-1.mga8
vlc-plugin-lua-3.0.14-1.mga8
vlc-plugin-mod-3.0.14-1.mga8
vlc-plugin-mpc-3.0.14-1.mga8
vlc-plugin-ncurses-3.0.14-1.mga8
vlc-plugin-opengl-3.0.14-1.mga8
vlc-plugin-projectm-3.0.14-1.mga8
vlc-plugin-pulse-3.0.14-1.mga8
vlc-plugin-rist-3.0.14-1.mga8
vlc-plugin-samba-3.0.14-1.mga8
vlc-plugin-schroedinger-3.0.14-1.mga8
vlc-plugin-sdl-3.0.14-1.mga8
vlc-plugin-shout-3.0.14-1.mga8
vlc-plugin-sid-3.0.14-1.mga8
vlc-plugin-sndio-3.0.14-1.mga8
vlc-plugin-speex-3.0.14-1.mga8
vlc-plugin-theora-3.0.14-1.mga8
vlc-plugin-twolame-3.0.14-1.mga8
vlc-plugin-upnp-3.0.14-1.mga8
vlc-plugin-vdpau-3.0.14-1.mga8
vlc-plugin-zvbi-3.0.14-1.mga8

and Updated packages in 8/tainted/updates_testing:
========================
lib(64)vlc-devel-3.0.14-1.mga8.tainted
lib(64)vlc5-3.0.14-1.mga8.tainted
lib(64)vlccore9-3.0.14-1.mga8.tainted
svlc-3.0.14-1.mga8.tainted
vlc-3.0.14-1.mga8.tainted
vlc-plugin-aa-3.0.14-1.mga8.tainted
vlc-plugin-chromaprint-3.0.14-1.mga8.tainted
vlc-plugin-common-3.0.14-1.mga8.tainted
vlc-plugin-dv-3.0.14-1.mga8.tainted
vlc-plugin-fdkaac-3.0.14-1.mga8.tainted
vlc-plugin-flac-3.0.14-1.mga8.tainted
vlc-plugin-fluidsynth-3.0.14-1.mga8.tainted
vlc-plugin-gme-3.0.14-1.mga8.tainted
vlc-plugin-gnutls-3.0.14-1.mga8.tainted
vlc-plugin-jack-3.0.14-1.mga8.tainted
vlc-plugin-kate-3.0.14-1.mga8.tainted
vlc-plugin-libass-3.0.14-1.mga8.tainted
vlc-plugin-libnotify-3.0.14-1.mga8.tainted
vlc-plugin-lirc-3.0.14-1.mga8.tainted
vlc-plugin-lua-3.0.14-1.mga8.tainted
vlc-plugin-mod-3.0.14-1.mga8.tainted
vlc-plugin-mpc-3.0.14-1.mga8.tainted
vlc-plugin-ncurses-3.0.14-1.mga8.tainted
vlc-plugin-opengl-3.0.14-1.mga8.tainted
vlc-plugin-projectm-3.0.14-1.mga8.tainted
vlc-plugin-pulse-3.0.14-1.mga8.tainted
vlc-plugin-rist-3.0.14-1.mga8.tainted
vlc-plugin-samba-3.0.14-1.mga8.tainted
vlc-plugin-schroedinger-3.0.14-1.mga8.tainted
vlc-plugin-sdl-3.0.14-1.mga8.tainted
vlc-plugin-shout-3.0.14-1.mga8.tainted
vlc-plugin-sid-3.0.14-1.mga8.tainted
vlc-plugin-sndio-3.0.14-1.mga8.tainted
vlc-plugin-speex-3.0.14-1.mga8.tainted
vlc-plugin-theora-3.0.14-1.mga8.tainted
vlc-plugin-twolame-3.0.14-1.mga8.tainted
vlc-plugin-upnp-3.0.14-1.mga8.tainted
vlc-plugin-vdpau-3.0.14-1.mga8.tainted
vlc-plugin-zvbi-3.0.14-1.mga8.tainted

from SRPM:
vlc-3.0.14-1.mga8

========================

Updated packages in 7/core/updates_testing:
========================
lib(64)vlc-devel-3.0.14-1.mga7
lib(64)vlc5-3.0.14-1.mga7
lib(64)vlccore9-3.0.14-1.mga7
svlc-3.0.14-1.mga7
vlc-3.0.14-1.mga7
vlc-plugin-aa-3.0.14-1.mga7
vlc-plugin-chromaprint-3.0.14-1.mga7
vlc-plugin-common-3.0.14-1.mga7
vlc-plugin-dv-3.0.14-1.mga7
vlc-plugin-flac-3.0.14-1.mga7
vlc-plugin-fluidsynth-3.0.14-1.mga7
vlc-plugin-gme-3.0.14-1.mga7
vlc-plugin-gnutls-3.0.14-1.mga7
vlc-plugin-jack-3.0.14-1.mga7
vlc-plugin-kate-3.0.14-1.mga7
vlc-plugin-libass-3.0.14-1.mga7
vlc-plugin-libnotify-3.0.14-1.mga7
vlc-plugin-lirc-3.0.14-1.mga7
vlc-plugin-lua-3.0.14-1.mga7
vlc-plugin-mod-3.0.14-1.mga7
vlc-plugin-mpc-3.0.14-1.mga7
vlc-plugin-ncurses-3.0.14-1.mga7
vlc-plugin-opengl-3.0.14-1.mga7
vlc-plugin-projectm-3.0.14-1.mga7
vlc-plugin-pulse-3.0.14-1.mga7
vlc-plugin-rist-3.0.14-1.mga7
vlc-plugin-samba-3.0.14-1.mga7
vlc-plugin-schroedinger-3.0.14-1.mga7
vlc-plugin-sdl-3.0.14-1.mga7
vlc-plugin-shout-3.0.14-1.mga7
vlc-plugin-sid-3.0.14-1.mga7
vlc-plugin-sndio-3.0.14-1.mga7
vlc-plugin-speex-3.0.14-1.mga7
vlc-plugin-theora-3.0.14-1.mga7
vlc-plugin-twolame-3.0.14-1.mga7
vlc-plugin-upnp-3.0.14-1.mga7
vlc-plugin-vdpau-3.0.14-1.mga7
vlc-plugin-zvbi-3.0.14-1.mga7

and Updated packages in 7/tainted/updates_testing:
========================
lib(64)vlc-devel-3.0.14-1.mga7.tainted
lib(64)vlc5-3.0.14-1.mga7.tainted
lib(64)vlccore9-3.0.14-1.mga7.tainted
svlc-3.0.14-1.mga7.tainted
vlc-3.0.14-1.mga7.tainted
vlc-plugin-aa-3.0.14-1.mga7.tainted
vlc-plugin-chromaprint-3.0.14-1.mga7.tainted
vlc-plugin-common-3.0.14-1.mga7.tainted
vlc-plugin-dv-3.0.14-1.mga7.tainted
vlc-plugin-fdkaac-3.0.14-1.mga7.tainted
vlc-plugin-flac-3.0.14-1.mga7.tainted
vlc-plugin-fluidsynth-3.0.14-1.mga7.tainted
vlc-plugin-gme-3.0.14-1.mga7.tainted
vlc-plugin-gnutls-3.0.14-1.mga7.tainted
vlc-plugin-jack-3.0.14-1.mga7.tainted
vlc-plugin-kate-3.0.14-1.mga7.tainted
vlc-plugin-libass-3.0.14-1.mga7.tainted
vlc-plugin-libnotify-3.0.14-1.mga7.tainted
vlc-plugin-lirc-3.0.14-1.mga7.tainted
vlc-plugin-lua-3.0.14-1.mga7.tainted
vlc-plugin-mod-3.0.14-1.mga7.tainted
vlc-plugin-mpc-3.0.14-1.mga7.tainted
vlc-plugin-ncurses-3.0.14-1.mga7.tainted
vlc-plugin-opengl-3.0.14-1.mga7.tainted
vlc-plugin-projectm-3.0.14-1.mga7.tainted
vlc-plugin-pulse-3.0.14-1.mga7.tainted
vlc-plugin-rist-3.0.14-1.mga7.tainted
vlc-plugin-samba-3.0.14-1.mga7.tainted
vlc-plugin-schroedinger-3.0.14-1.mga7.tainted
vlc-plugin-sdl-3.0.14-1.mga7.tainted
vlc-plugin-shout-3.0.14-1.mga7.tainted
vlc-plugin-sid-3.0.14-1.mga7.tainted
vlc-plugin-sndio-3.0.14-1.mga7.tainted
vlc-plugin-speex-3.0.14-1.mga7.tainted
vlc-plugin-theora-3.0.14-1.mga7.tainted
vlc-plugin-twolame-3.0.14-1.mga7.tainted
vlc-plugin-upnp-3.0.14-1.mga7.tainted
vlc-plugin-vdpau-3.0.14-1.mga7.tainted
vlc-plugin-zvbi-3.0.14-1.mga7.tainted

from SRPM:
vlc-3.0.14-1.mga7

CC: (none) => ouaurelien

In last comment, forgot to add:

SRPMs:
- vlc-3.0.14-1.mga7.tainted
- vlc-3.0.14-1.mga8.tainted

I noticed the tainted published here.

The following 11 packages are going to be installed:

- lib64dvdcss2-1.4.2-2.mga7.tainted.x86_64
- lib64ebml5-1.4.2-1.mga7.x86_64
- lib64vlc5-3.0.14-1.mga7.tainted.x86_64
- lib64vlccore9-3.0.14-1.mga7.tainted.x86_64
- vlc-3.0.14-1.mga7.tainted.x86_64
- vlc-plugin-common-3.0.14-1.mga7.tainted.x86_64
- vlc-plugin-flac-3.0.14-1.mga7.tainted.x86_64
- vlc-plugin-pulse-3.0.14-1.mga7.tainted.x86_64
- vlc-plugin-speex-3.0.14-1.mga7.tainted.x86_64
- vlc-plugin-theora-3.0.14-1.mga7.tainted.x86_64
- vlc-plugin-vdpau-3.0.14-1.mga7.tainted.x86_64

895KB of additional disk space will be used.


DVD plays, other videos as well.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0227.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED