Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Vincent Cheng vcheng at debian.org
Mon Sep 7 05:01:32 UTC 2015 

On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassi <luca.boccassi at gmail.com> wrote:
> On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote:
>> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi at gmail.com> wrote:
>> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
>> >> Source: libvdpau
>> >> Severity: important
>> >> Tags: security, fixed-upstream
>> >>
>> >> Hi,
>> >>
>> >> the following vulnerabilities were published for libvdpau.
>> >>
>> >> CVE-2015-5198[0]:
>> >> incorrect check for security transition
>> >>
>> >> CVE-2015-5199[1]:
>> >> directory traversal in dlopen
>> >>
>> >> CVE-2015-5200[2]:
>> >> vulnerability in trace functionality
>> >>
>> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
>> >> release.
>> >>
>> >> If you fix the vulnerabilities please also make sure to include the
>> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>> >
>> > Hello Alessandro,
>> >
>> > Thanks for the heads-up!
>> >
>> > Vincent, Andreas,
>> >
>> > I have updated the libvdpau git repo with the new release [1]. I have
>> > tested the amd64 and i386 packages in Jessie, and they seem to work just
>> > fine with vdpauinfo and VLC.
>> >
>> > Could you please review and do a new upload, when you have time?
>> >
>> > Thanks!
>> >
>> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
>>
>> Uploaded, thanks! I'll make a note to myself to update the package in
>> jessie-backports as well. Luca, let me know if you need a sponsor for
>> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
>> don't know if these CVEs warrant a DSA, so ping the security team
>> first with a source debdiff and see what they say, and if they say no
>> then ping the release team instead); thanks for taking care of updates
>> for stable/oldstable/oldoldstable!
>
> Hello Vincent,
>
> Thanks for uploading 1.1.1!
>
> I have pushed to the git repo the backported changes for jessie [1] and
> wheezy [2]. Alessandro confirmed that the Security Team would like to
> release a DSA for this [3], so could you please sponsor the upload to
> security-master when you have time? I added you to the Uploaders in the
> wheezy branch already.

Uploaded to security-master, thanks for preparing these updated
packages! It's worth pointing out that adding yourself to uploaders in
d/control isn't necessary for security uploads, although I suppose it
doesn't actually make any difference either way.

I'll take a look at the squeeze-lts update next.

Regards,
Vincent

More information about the pkg-nvidia-devel mailing list