Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
Luca Boccassi
luca.boccassi at gmail.com
Fri Sep 4 00:24:07 UTC 2015
On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
>
> Hi,
>
> the following vulnerabilities were published for libvdpau.
>
> CVE-2015-5198[0]:
> incorrect check for security transition
>
> CVE-2015-5199[1]:
> directory traversal in dlopen
>
> CVE-2015-5200[2]:
> vulnerability in trace functionality
>
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Hello Alessandro,
Thanks for the heads-up!
Vincent, Andreas,
I have updated the libvdpau git repo with the new release [1]. I have
tested the amd64 and i386 packages in Jessie, and they seem to work just
fine with vdpauinfo and VLC.
Could you please review and do a new upload, when you have time?
Thanks!
Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
Kind regards,
Luca Boccassi
[1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150904/c43768d6/attachment.sig>
More information about the pkg-nvidia-devel
mailing list