Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Luca Boccassi luca.boccassi at gmail.com
Sat Sep 5 14:00:15 UTC 2015 

On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote:
> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi at gmail.com> wrote:
> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> >> Source: libvdpau
> >> Severity: important
> >> Tags: security, fixed-upstream
> >>
> >> Hi,
> >>
> >> the following vulnerabilities were published for libvdpau.
> >>
> >> CVE-2015-5198[0]:
> >> incorrect check for security transition
> >>
> >> CVE-2015-5199[1]:
> >> directory traversal in dlopen
> >>
> >> CVE-2015-5200[2]:
> >> vulnerability in trace functionality
> >>
> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> >> release.
> >>
> >> If you fix the vulnerabilities please also make sure to include the
> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> >
> > Hello Alessandro,
> >
> > Thanks for the heads-up!
> >
> > Vincent, Andreas,
> >
> > I have updated the libvdpau git repo with the new release [1]. I have
> > tested the amd64 and i386 packages in Jessie, and they seem to work just
> > fine with vdpauinfo and VLC.
> >
> > Could you please review and do a new upload, when you have time?
> >
> > Thanks!
> >
> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
> 
> Uploaded, thanks! I'll make a note to myself to update the package in
> jessie-backports as well. Luca, let me know if you need a sponsor for
> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
> don't know if these CVEs warrant a DSA, so ping the security team
> first with a source debdiff and see what they say, and if they say no
> then ping the release team instead); thanks for taking care of updates
> for stable/oldstable/oldoldstable!

Hello Vincent,

Thanks for uploading 1.1.1!

I have pushed to the git repo the backported changes for jessie [1] and
wheezy [2]. Alessandro confirmed that the Security Team would like to
release a DSA for this [3], so could you please sponsor the upload to
security-master when you have time? I added you to the Uploaders in the
wheezy branch already.

Thanks!

Kind regards,
Luca Boccassi

[1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=jessie-security
[2] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=wheezy-security
[3] http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/2015-September/011509.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/5f9a8906/attachment.sig>

More information about the pkg-nvidia-devel mailing list