Bug 1142161 – VUL-1: CVE-2019-13962: vlc: lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.

Bug 1142161 - (CVE-2019-13962) VUL-1: CVE-2019-13962: vlc: lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.

(CVE-2019-13962)
Summary:	VUL-1: CVE-2019-13962: vlc: lavc_CopyPicture in modules/codec/avcodec/video.c...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other
Version:	Leap 42.3
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/237689/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-07-19 08:41 UTC by Marcus Meissner
Modified:	2020-04-29 10:15 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-07-19 08:41:49 UTC

CVE-2019-13962

lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player
through 3.0.7 has a heap-based buffer over-read because it does not properly
validate the width and height.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13962
http://www.cvedetails.com/cve/CVE-2019-13962/
https://trac.videolan.org/vlc/ticket/22240
http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509

Comment 1 Swamp Workflow Management 2019-07-31 09:00:31 UTC

This is an autogenerated message for OBS integration:
This bug (1142161) was mentioned in
https://build.opensuse.org/request/show/719998 15.1 / vlc
https://build.opensuse.org/request/show/719999 15.0 / vlc

Comment 2 Swamp Workflow Management 2019-08-08 19:10:43 UTC

openSUSE-SU-2019:1840-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1118586,1138354,1138933,1141522,1142161,1143547,1143549
CVE References: CVE-2018-19857,CVE-2019-12874,CVE-2019-13602,CVE-2019-13962,CVE-2019-5439,CVE-2019-5459,CVE-2019-5460
Sources used:
openSUSE Leap 15.1 (src):    vlc-3.0.7.1-lp151.6.3.1

Comment 3 Swamp Workflow Management 2019-08-15 13:15:17 UTC

openSUSE-SU-2019:1897-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1118586,1138354,1138933,1141522,1142161,1143547,1143549
CVE References: CVE-2018-19857,CVE-2019-12874,CVE-2019-13602,CVE-2019-13962,CVE-2019-5439,CVE-2019-5459,CVE-2019-5460
Sources used:
openSUSE Backports SLE-15-SP1 (src):    vlc-3.0.7.1-bp151.5.3.3

Comment 4 Swamp Workflow Management 2019-08-15 13:20:14 UTC

openSUSE-SU-2019:1909-1: An update that solves 7 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1093732,1094893,1118586,1133290,1138354,1138933,1141522,1142161,1143547,1143549
CVE References: CVE-2018-19857,CVE-2019-12874,CVE-2019-13602,CVE-2019-13962,CVE-2019-5439,CVE-2019-5459,CVE-2019-5460
Sources used:
openSUSE Leap 15.0 (src):    libaom-1.0.0-lp150.2.1, vlc-3.0.7.1-lp150.8.1

Comment 5 Swamp Workflow Management 2019-08-26 19:11:45 UTC

openSUSE-SU-2019:2015-1: An update that solves 7 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1093732,1094893,1118586,1133290,1138354,1138933,1141522,1142161,1143547,1143549
CVE References: CVE-2018-19857,CVE-2019-12874,CVE-2019-13602,CVE-2019-13962,CVE-2019-5439,CVE-2019-5459,CVE-2019-5460
Sources used:
openSUSE Backports SLE-15 (src):    libaom-1.0.0-bp150.2.1, vlc-3.0.7.1-bp150.2.6.1

Comment 6 Dominique Leuenberger 2019-12-11 15:13:41 UTC

Update has been released

Comment 7 Swamp Workflow Management 2020-04-23 13:44:48 UTC

openSUSE-SU-2020:0545-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1142161,1146428
CVE References: CVE-2019-13602,CVE-2019-13962,CVE-2019-14437,CVE-2019-14438,CVE-2019-14498,CVE-2019-14533,CVE-2019-14534,CVE-2019-14535,CVE-2019-14776,CVE-2019-14777,CVE-2019-14778,CVE-2019-14970
Sources used:
openSUSE Leap 15.1 (src):    vlc-3.0.9.2-lp151.6.6.1

Comment 8 Swamp Workflow Management 2020-04-29 10:15:59 UTC

openSUSE-SU-2020:0562-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1142161,1146428
CVE References: CVE-2019-13602,CVE-2019-13962,CVE-2019-14437,CVE-2019-14438,CVE-2019-14498,CVE-2019-14533,CVE-2019-14534,CVE-2019-14535,CVE-2019-14776,CVE-2019-14777,CVE-2019-14778,CVE-2019-14970
Sources used:
openSUSE Backports SLE-15-SP1 (src):    vlc-3.0.9.2-bp151.5.6.1