Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
vcheng at debian.org
Fri Sep 4 05:40:37 UTC 2015
On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi at gmail.com> wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
>> Source: libvdpau
>> Severity: important
>> Tags: security, fixed-upstream
>> the following vulnerabilities were published for libvdpau.
>> incorrect check for security transition
>> directory traversal in dlopen
>> vulnerability in trace functionality
>> All of them are fixed by the patch , shipped in the 1.1.1 upstream
>> If you fix the vulnerabilities please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> Hello Alessandro,
> Thanks for the heads-up!
> Vincent, Andreas,
> I have updated the libvdpau git repo with the new release . I have
> tested the amd64 and i386 packages in Jessie, and they seem to work just
> fine with vdpauinfo and VLC.
> Could you please review and do a new upload, when you have time?
> Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
Uploaded, thanks! I'll make a note to myself to update the package in
jessie-backports as well. Luca, let me know if you need a sponsor for
the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
don't know if these CVEs warrant a DSA, so ping the security team
first with a source debdiff and see what they say, and if they say no
then ping the release team instead); thanks for taking care of updates
More information about the pkg-nvidia-devel