faad2-2.11.2-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16276 Final 1 1 2025-07-03T00:00:00Z current 2025-07-03T00:00:00Z 2025-07-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z faad2-2.11.2-2.1 on GA media These are all security issues fixed in the faad2-2.11.2-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16276 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-20194/ SUSE CVE CVE-2018-20194 page https://www.suse.com/security/cve/CVE-2018-20196/ SUSE CVE CVE-2018-20196 page https://www.suse.com/security/cve/CVE-2018-20199/ SUSE CVE CVE-2018-20199 page https://www.suse.com/security/cve/CVE-2018-20358/ SUSE CVE CVE-2018-20358 page https://www.suse.com/security/cve/CVE-2018-20359/ SUSE CVE CVE-2018-20359 page https://www.suse.com/security/cve/CVE-2018-20362/ SUSE CVE CVE-2018-20362 page https://www.suse.com/security/cve/CVE-2019-15296/ SUSE CVE CVE-2019-15296 page https://www.suse.com/security/cve/CVE-2019-6956/ SUSE CVE CVE-2019-6956 page openSUSE Tumbleweed faad2-2.11.2-2.1 faad2-devel-2.11.2-2.1 libfaad2-2.11.2-2.1 libfaad2-32bit-2.11.2-2.1 libfaad_drm2-2.11.2-2.1 libfaad_drm2-32bit-2.11.2-2.1 faad2-2.11.2-2.1 as a component of openSUSE Tumbleweed faad2-devel-2.11.2-2.1 as a component of openSUSE Tumbleweed libfaad2-2.11.2-2.1 as a component of openSUSE Tumbleweed libfaad2-32bit-2.11.2-2.1 as a component of openSUSE Tumbleweed libfaad_drm2-2.11.2-2.1 as a component of openSUSE Tumbleweed libfaad_drm2-32bit-2.11.2-2.1 as a component of openSUSE Tumbleweed There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy level is mishandled for the G_max <= G case. CVE-2018-20194 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20194.html CVE-2018-20194 There is a stack-based buffer overflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because the S_M array is mishandled. CVE-2018-20196 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20196.html CVE-2018-20196 A NULL pointer dereference was discovered in ifilter_bank of libfaad/filtbank.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service because adding to windowed output is mishandled in the ONLY_LONG_SEQUENCE case. CVE-2018-20199 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20199.html CVE-2018-20199 An invalid memory address dereference was discovered in the lt_prediction function of libfaad/lt_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2018-20358 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20358.html CVE-2018-20358 An invalid memory address dereference was discovered in the sbrDecodeSingleFramePS function of libfaad/sbr_dec.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. CVE-2018-20359 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20359.html CVE-2018-20359 A NULL pointer dereference was discovered in ifilter_bank of libfaad/filtbank.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash because adding to windowed output is mishandled in the EIGHT_SHORT_SEQUENCE case. CVE-2018-20362 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20362.html CVE-2018-20362 An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The faad_resetbits function in libfaad/bits.c is affected by a buffer overflow vulnerability. The number of bits to be read is determined by ld->buffer_size - words*4, cast to uint32. If ld->buffer_size - words*4 is negative, a buffer overflow is later performed via getdword_n(&ld->start[words], ld->bytes_left). CVE-2019-15296 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-15296.html CVE-2019-15296 An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It is a buffer over-read in ps_mix_phase in libfaad/ps_dec.c. CVE-2019-6956 openSUSE Tumbleweed:faad2-2.11.2-2.1 openSUSE Tumbleweed:faad2-devel-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-2.11.2-2.1 openSUSE Tumbleweed:libfaad2-32bit-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-2.11.2-2.1 openSUSE Tumbleweed:libfaad_drm2-32bit-2.11.2-2.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6956.html CVE-2019-6956