Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
Luca Boccassi
luca.boccassi at gmail.com
Sat Sep 5 11:55:43 UTC 2015
On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
>
> Hi,
>
> the following vulnerabilities were published for libvdpau.
>
> CVE-2015-5198[0]:
> incorrect check for security transition
>
> CVE-2015-5199[1]:
> directory traversal in dlopen
>
> CVE-2015-5200[2]:
> vulnerability in trace functionality
>
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2015-5198
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> [1] https://security-tracker.debian.org/tracker/CVE-2015-5199
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> [2] https://security-tracker.debian.org/tracker/CVE-2015-5200
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> [3] http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4
Dear Alessandro and dear Security Team,
I have backported the upstream patch for the aforementioned CVEs to
jessie, wheezy and squeeze. I have attached the debdiffs for review.
I have verified they all build in amd64 and i386 chroots.
I have verified that the jessie and wheezy amd64 packages work using
"vdpauinfo".
Due to the need of a bare-metal installation (direct access to Nvidia
GPU is required), I have _NOT_ tested other architecture for jessie and
wheezy, and I have _NOT_ tested the squeeze build at all, because I do
not possess hardware capable of running with squeeze drivers, but given
the fact that it's the same upstream version as the wheezy build I am
reasonably confident it should work.
Two questions for you:
1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
should I go through the proposed-updates route and ping the release team
instead?
2) If the answer to 1) is yes, does this apply to squeeze as well or
should I work with debian-lts team instead?
Thank you!
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jessie.debdiff
Type: text/x-patch
Size: 10857 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wheezy.debdiff
Type: text/x-patch
Size: 8520 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squeeze.debdiff
Type: text/x-patch
Size: 8764 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0001.sig>
More information about the pkg-nvidia-devel
mailing list