Bug 1171860 (CVE-2019-19721)

Summary: VUL-1: CVE-2019-19721: vlc: off-by-one error in the DecodeBlock function in codec/sdl_image.c
Product: [openSUSE] openSUSE Distribution Reporter: Robert Frohl <rfrohl>
Component: SecurityAssignee: Dominique Leuenberger <dimstar>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: rfrohl
Version: Leap 15.1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/259601/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2020-05-19 07:59:36 UTC
CVE-2019-19721

An off-by-one error in the DecodeBlock function in codec/sdl_image.c in
VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a
denial of service (memory corruption) via a crafted image file. NOTE: this
may be related to the SDL_Image product.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19721
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19721.html
Comment 1 Robert Frohl 2020-05-19 08:02:58 UTC
still affects Leap 15.1, Tumbleweed and 15.2 are already on 3.0.10.
Comment 2 Dominique Leuenberger 2020-05-19 10:24:41 UTC
(In reply to Robert Frohl from comment #1)
> still affects Leap 15.1, Tumbleweed and 15.2 are already on 3.0.10.

Leap 15.1 is at 3.0.9.2; according #c0 the issue is 'before 3.0.9'. Really affected? If yes, there is o issue in submitting 3.0.10 to Leap 15.1 as well
Comment 3 Dominique Leuenberger 2020-05-19 10:28:29 UTC
That was the update to VLC 3.0.9.2 in 15.1:Update

r2 | maintenance-robot | 2020-04-23 08:12:37 | e1cd5e55cddf8cc6c6ddd46aec1fe910 | unknown | rq795340

Set link to vlc.12355 via maintenance_release request
Comment 4 Robert Frohl 2020-05-19 10:28:45 UTC
(In reply to Dominique Leuenberger from comment #2)
> (In reply to Robert Frohl from comment #1)
> > still affects Leap 15.1, Tumbleweed and 15.2 are already on 3.0.10.
> 
> Leap 15.1 is at 3.0.9.2; according #c0 the issue is 'before 3.0.9'. Really
> affected? If yes, there is o issue in submitting 3.0.10 to Leap 15.1 as well

you are correct, I checked the GA codestream by accident.
Comment 5 Robert Frohl 2020-05-19 10:29:10 UTC
closing