Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Luca Boccassi luca.boccassi at gmail.com
Sat Sep 5 11:55:43 UTC 2015

On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
> Hi,
> the following vulnerabilities were published for libvdpau.
> CVE-2015-5198[0]:
> incorrect check for security transition
> CVE-2015-5199[1]:
> directory traversal in dlopen
> CVE-2015-5200[2]:
> vulnerability in trace functionality
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> For further information see:
> [0] https://security-tracker.debian.org/tracker/CVE-2015-5198
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> [1] https://security-tracker.debian.org/tracker/CVE-2015-5199
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> [2] https://security-tracker.debian.org/tracker/CVE-2015-5200
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> [3] http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4

Dear Alessandro and dear Security Team,

I have backported the upstream patch for the aforementioned CVEs to
jessie, wheezy and squeeze. I have attached the debdiffs for review.

I have verified they all build in amd64 and i386 chroots.

I have verified that the jessie and wheezy amd64 packages work using

Due to the need of a bare-metal installation (direct access to Nvidia
GPU is required), I have _NOT_ tested other architecture for jessie and
wheezy, and I have _NOT_ tested the squeeze build at all, because I do
not possess hardware capable of running with squeeze drivers, but given
the fact that it's the same upstream version as the wheezy build I am
reasonably confident it should work.

Two questions for you:

1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
should I go through the proposed-updates route and ping the release team
2) If the answer to 1) is yes, does this apply to squeeze as well or
should I work with debian-lts team instead?

Thank you!

Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jessie.debdiff
Type: text/x-patch
Size: 10857 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wheezy.debdiff
Type: text/x-patch
Size: 8520 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squeeze.debdiff
Type: text/x-patch
Size: 8764 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/617c9ad3/attachment-0001.sig>

More information about the pkg-nvidia-devel mailing list