Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
ghedo at debian.org
Sat Sep 5 13:10:06 UTC 2015
On Sat, Sep 05, 2015 at 12:55:43PM +0100, Luca Boccassi wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> > Source: libvdpau
> > Severity: important
> > Tags: security, fixed-upstream
> > Hi,
> > the following vulnerabilities were published for libvdpau.
> > CVE-2015-5198:
> > incorrect check for security transition
> > CVE-2015-5199:
> > directory traversal in dlopen
> > CVE-2015-5200:
> > vulnerability in trace functionality
> > All of them are fixed by the patch , shipped in the 1.1.1 upstream
> > release.
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > For further information see:
> >  https://security-tracker.debian.org/tracker/CVE-2015-5198
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> >  https://security-tracker.debian.org/tracker/CVE-2015-5199
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> >  https://security-tracker.debian.org/tracker/CVE-2015-5200
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> >  http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4
> Dear Alessandro and dear Security Team,
> I have backported the upstream patch for the aforementioned CVEs to
> jessie, wheezy and squeeze. I have attached the debdiffs for review.
> I have verified they all build in amd64 and i386 chroots.
> I have verified that the jessie and wheezy amd64 packages work using
> Due to the need of a bare-metal installation (direct access to Nvidia
> GPU is required), I have _NOT_ tested other architecture for jessie and
> wheezy, and I have _NOT_ tested the squeeze build at all, because I do
> not possess hardware capable of running with squeeze drivers, but given
> the fact that it's the same upstream version as the wheezy build I am
> reasonably confident it should work.
> Two questions for you:
> 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
> should I go through the proposed-updates route and ping the release team
Yeah, we intend to release a DSA for this. The jessie and wheezy diffs look
good, so please go ahead and upload them to security-master. Note that they
both need to be built with the -sa dpkg-buildpackage flag, since these would
be the first jessie and wheezy security uploads for the package.
> 2) If the answer to 1) is yes, does this apply to squeeze as well or
> should I work with debian-lts team instead?
Yeah, you need to contact the LTS people for squeeze.
Thanks for your help.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the pkg-nvidia-devel