SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3289

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3289

Security update for gstreamer-plugins-bad, libvpl

Type: security

Severity: important

Issued: 2024-09-17

Description:

This update for gstreamer-plugins-bad, libvpl fixes the following issues:

- Dropped support for libmfx to fix the following CVEs:
  * libmfx: improper input validation (CVE-2023-48368, bsc#1226897)
  * libmfx: improper buffer restrictions (CVE-2023-45221, bsc#1226898)
  * libmfx: out-of-bounds read (CVE-2023-22656, bsc#1226899)
  * libmfx: out-of-bounds write (CVE-2023-47282, bsc#1226900)
  * libmfx: improper buffer restrictions (CVE-2023-47169, bsc#1226901)

The libmfx dependency is replaced by libvpl.

References

jira: PED-10024 https://jira.suse.com/browse/PED-10024
CVE: CVE-2023-50186
CVE: CVE-2023-48368
CVE: CVE-2023-47282
CVE: CVE-2023-47169
CVE: CVE-2023-45221
CVE: CVE-2023-22656
Bugzilla: 1226901 VUL-0: CVE-2023-47169: libmfx: improper buffer restrictions
Bugzilla: 1226900 VUL-0: CVE-2023-47282: libmfx: out-of-bounds write
Bugzilla: 1226899 VUL-0: CVE-2023-22656: libmfx: out-of-bounds read
Bugzilla: 1226898 VUL-0: CVE-2023-45221: libmfx: improper buffer restrictions
Bugzilla: 1226897 VUL-0: CVE-2023-48368: libmfx: improper input validation
Bugzilla: 1226892 L3: L3-Question: Multiple vulnerabilities in the Intel Media SDK (libmfx1) — ref:_00D1igLOd._500TrCexKD:ref
Bugzilla: 1223263 VUL-0: CVE-2023-50186: gstreamer-plugins-bad: buffer overflow vulnerability
Bugzilla: 1219494 libmfx no longer supported
Bugzilla: 1218534 VUL-0: gstreamer-plugins-bad: Heap-based buffer overflow in the AV1 codec parser (ZDI-CAN-22300)

Packages

gstreamer-plugins-bad-1.22.0-150500.3.25.2