Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Luca Boccassi luca.boccassi at gmail.com
Fri Sep 4 00:24:07 UTC 2015


On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
> 
> Hi,
> 
> the following vulnerabilities were published for libvdpau.
> 
> CVE-2015-5198[0]:
> incorrect check for security transition
> 
> CVE-2015-5199[1]:
> directory traversal in dlopen
> 
> CVE-2015-5200[2]:
> vulnerability in trace functionality
> 
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Hello Alessandro,

Thanks for the heads-up!

Vincent, Andreas,

I have updated the libvdpau git repo with the new release [1]. I have
tested the amd64 and i386 packages in Jessie, and they seem to work just
fine with vdpauinfo and VLC.

Could you please review and do a new upload, when you have time?

Thanks!

Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.

Kind regards,
Luca Boccassi

[1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150904/c43768d6/attachment.sig>


More information about the pkg-nvidia-devel mailing list