On Sat, Sep 05, 2015 at 12:55:43PM +0100, Luca Boccassi wrote: > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: > > Source: libvdpau > > Severity: important > > Tags: security, fixed-upstream > > > > Hi, > > > > the following vulnerabilities were published for libvdpau. > > > > CVE-2015-5198[0]: > > incorrect check for security transition > > > > CVE-2015-5199[1]: > > directory traversal in dlopen > > > > CVE-2015-5200[2]: > > vulnerability in trace functionality > > > > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream > > release. > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2015-5198 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198 > > [1] https://security-tracker.debian.org/tracker/CVE-2015-5199 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199 > > [2] https://security-tracker.debian.org/tracker/CVE-2015-5200 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200 > > [3] > > http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 > > Dear Alessandro and dear Security Team, > > I have backported the upstream patch for the aforementioned CVEs to > jessie, wheezy and squeeze. I have attached the debdiffs for review. > > I have verified they all build in amd64 and i386 chroots. > > I have verified that the jessie and wheezy amd64 packages work using > "vdpauinfo". > > Due to the need of a bare-metal installation (direct access to Nvidia > GPU is required), I have _NOT_ tested other architecture for jessie and > wheezy, and I have _NOT_ tested the squeeze build at all, because I do > not possess hardware capable of running with squeeze drivers, but given > the fact that it's the same upstream version as the wheezy build I am > reasonably confident it should work. > > Two questions for you: > > 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or > should I go through the proposed-updates route and ping the release team > instead?
Yeah, we intend to release a DSA for this. The jessie and wheezy diffs look good, so please go ahead and upload them to security-master. Note that they both need to be built with the -sa dpkg-buildpackage flag, since these would be the first jessie and wheezy security uploads for the package. > 2) If the answer to 1) is yes, does this apply to squeeze as well or > should I work with debian-lts team instead? Yeah, you need to contact the LTS people for squeeze. Thanks for your help. Cheers
signature.asc
Description: Digital signature