Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Alessandro Ghedini ghedo at debian.org
Sat Sep 5 13:10:06 UTC 2015 

On Sat, Sep 05, 2015 at 12:55:43PM +0100, Luca Boccassi wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> > Source: libvdpau
> > Severity: important
> > Tags: security, fixed-upstream
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for libvdpau.
> > 
> > CVE-2015-5198[0]:
> > incorrect check for security transition
> > 
> > CVE-2015-5199[1]:
> > directory traversal in dlopen
> > 
> > CVE-2015-5200[2]:
> > vulnerability in trace functionality
> > 
> > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> > release.
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2015-5198
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> > [1] https://security-tracker.debian.org/tracker/CVE-2015-5199
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> > [2] https://security-tracker.debian.org/tracker/CVE-2015-5200
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> > [3] http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4
> 
> Dear Alessandro and dear Security Team,
> 
> I have backported the upstream patch for the aforementioned CVEs to
> jessie, wheezy and squeeze. I have attached the debdiffs for review.
> 
> I have verified they all build in amd64 and i386 chroots.
> 
> I have verified that the jessie and wheezy amd64 packages work using
> "vdpauinfo".
> 
> Due to the need of a bare-metal installation (direct access to Nvidia
> GPU is required), I have _NOT_ tested other architecture for jessie and
> wheezy, and I have _NOT_ tested the squeeze build at all, because I do
> not possess hardware capable of running with squeeze drivers, but given
> the fact that it's the same upstream version as the wheezy build I am
> reasonably confident it should work.
> 
> Two questions for you:
> 
> 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
> should I go through the proposed-updates route and ping the release team
> instead?

Yeah, we intend to release a DSA for this. The jessie and wheezy diffs look
good, so please go ahead and upload them to security-master. Note that they
both need to be built with the -sa dpkg-buildpackage flag, since these would
be the first jessie and wheezy security uploads for the package.

> 2) If the answer to 1) is yes, does this apply to squeeze as well or
> should I work with debian-lts team instead?

Yeah, you need to contact the LTS people for squeeze.

Thanks for your help.

Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/attachments/20150905/21655a5f/attachment-0001.sig>

More information about the pkg-nvidia-devel mailing list