Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
luca.boccassi at gmail.com
Sat Sep 5 14:00:15 UTC 2015
On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote:
> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi at gmail.com> wrote:
> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> >> Source: libvdpau
> >> Severity: important
> >> Tags: security, fixed-upstream
> >> Hi,
> >> the following vulnerabilities were published for libvdpau.
> >> CVE-2015-5198:
> >> incorrect check for security transition
> >> CVE-2015-5199:
> >> directory traversal in dlopen
> >> CVE-2015-5200:
> >> vulnerability in trace functionality
> >> All of them are fixed by the patch , shipped in the 1.1.1 upstream
> >> release.
> >> If you fix the vulnerabilities please also make sure to include the
> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > Hello Alessandro,
> > Thanks for the heads-up!
> > Vincent, Andreas,
> > I have updated the libvdpau git repo with the new release . I have
> > tested the amd64 and i386 packages in Jessie, and they seem to work just
> > fine with vdpauinfo and VLC.
> > Could you please review and do a new upload, when you have time?
> > Thanks!
> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
> Uploaded, thanks! I'll make a note to myself to update the package in
> jessie-backports as well. Luca, let me know if you need a sponsor for
> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
> don't know if these CVEs warrant a DSA, so ping the security team
> first with a source debdiff and see what they say, and if they say no
> then ping the release team instead); thanks for taking care of updates
> for stable/oldstable/oldoldstable!
Thanks for uploading 1.1.1!
I have pushed to the git repo the backported changes for jessie  and
wheezy . Alessandro confirmed that the Security Team would like to
release a DSA for this , so could you please sponsor the upload to
security-master when you have time? I added you to the Uploaders in the
wheezy branch already.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the pkg-nvidia-devel