Bug 1171860 - (CVE-2019-19721) VUL-1: CVE-2019-19721: vlc: off-by-one error in the DecodeBlock function in codec/sdl_image.c
(CVE-2019-19721)
VUL-1: CVE-2019-19721: vlc: off-by-one error in the DecodeBlock function in c...
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Dominique Leuenberger
Security Team bot
https://smash.suse.de/issue/259601/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-19 07:59 UTC by Robert Frohl
Modified: 2020-05-19 10:29 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-05-19 07:59:36 UTC
CVE-2019-19721

An off-by-one error in the DecodeBlock function in codec/sdl_image.c in
VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a
denial of service (memory corruption) via a crafted image file. NOTE: this
may be related to the SDL_Image product.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19721
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19721.html
Comment 1 Robert Frohl 2020-05-19 08:02:58 UTC
still affects Leap 15.1, Tumbleweed and 15.2 are already on 3.0.10.
Comment 2 Dominique Leuenberger 2020-05-19 10:24:41 UTC
(In reply to Robert Frohl from comment #1)
> still affects Leap 15.1, Tumbleweed and 15.2 are already on 3.0.10.

Leap 15.1 is at 3.0.9.2; according #c0 the issue is 'before 3.0.9'. Really affected? If yes, there is o issue in submitting 3.0.10 to Leap 15.1 as well
Comment 3 Dominique Leuenberger 2020-05-19 10:28:29 UTC
That was the update to VLC 3.0.9.2 in 15.1:Update

r2 | maintenance-robot | 2020-04-23 08:12:37 | e1cd5e55cddf8cc6c6ddd46aec1fe910 | unknown | rq795340

Set link to vlc.12355 via maintenance_release request
Comment 4 Robert Frohl 2020-05-19 10:28:45 UTC
(In reply to Dominique Leuenberger from comment #2)
> (In reply to Robert Frohl from comment #1)
> > still affects Leap 15.1, Tumbleweed and 15.2 are already on 3.0.10.
> 
> Leap 15.1 is at 3.0.9.2; according #c0 the issue is 'before 3.0.9'. Really
> affected? If yes, there is o issue in submitting 3.0.10 to Leap 15.1 as well

you are correct, I checked the GA codestream by accident.
Comment 5 Robert Frohl 2020-05-19 10:29:10 UTC
closing