Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Vincent Cheng vcheng at debian.org
Fri Sep 4 05:40:37 UTC 2015


On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi at gmail.com> wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
>> Source: libvdpau
>> Severity: important
>> Tags: security, fixed-upstream
>>
>> Hi,
>>
>> the following vulnerabilities were published for libvdpau.
>>
>> CVE-2015-5198[0]:
>> incorrect check for security transition
>>
>> CVE-2015-5199[1]:
>> directory traversal in dlopen
>>
>> CVE-2015-5200[2]:
>> vulnerability in trace functionality
>>
>> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
>> release.
>>
>> If you fix the vulnerabilities please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> Hello Alessandro,
>
> Thanks for the heads-up!
>
> Vincent, Andreas,
>
> I have updated the libvdpau git repo with the new release [1]. I have
> tested the amd64 and i386 packages in Jessie, and they seem to work just
> fine with vdpauinfo and VLC.
>
> Could you please review and do a new upload, when you have time?
>
> Thanks!
>
> Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.

Uploaded, thanks! I'll make a note to myself to update the package in
jessie-backports as well. Luca, let me know if you need a sponsor for
the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
don't know if these CVEs warrant a DSA, so ping the security team
first with a source debdiff and see what they say, and if they say no
then ping the release team instead); thanks for taking care of updates
for stable/oldstable/oldoldstable!

Regards,
Vincent



More information about the pkg-nvidia-devel mailing list