Bug#1082867: onevpl: CVE-2023-22656 CVE-2023-45221 CVE-2023-47169 CVE-2023-47282 CVE-2023-48368 CVE-2023-48727

[Moritz Mühlenhoff]

Source: onevpl
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for onevpl.

CVE-2023-22656[0]:
| Out-of-bounds read in Intel(R) Media SDK and some Intel(R) oneVPL
| software before version 23.3.5 may allow an authenticated user to
| potentially enable escalation of privilege via local access.

CVE-2023-45221[1]:
| Improper buffer restrictions in Intel(R) Media SDK all versions may
| allow an authenticated user to potentially enable escalation of
| privilege via local access.

CVE-2023-47169[2]:
| Improper buffer restrictions in Intel(R) Media SDK software all
| versions may allow an authenticated user to potentially enable
| denial of service via local access.

CVE-2023-47282[3]:
| Out-of-bounds write in Intel(R) Media SDK all versions and some
| Intel(R) oneVPL software before version 23.3.5 may allow an
| authenticated user to potentially enable escalation of privilege via
| local access.

CVE-2023-48368[4]:
| Improper input validation in Intel(R) Media SDK software all
| versions may allow an authenticated user to potentially enable
| denial of service via local access.

CVE-2023-48727[5]:
| NULL pointer dereference in some Intel(R) oneVPL software before
| version 23.3.5 may allow an authenticated user to potentially enable
| information disclosure via local access.

Sadly there's no specific information, just the very high level advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-22656
    https://www.cve.org/CVERecord?id=CVE-2023-22656
[1] https://security-tracker.debian.org/tracker/CVE-2023-45221
    https://www.cve.org/CVERecord?id=CVE-2023-45221
[2] https://security-tracker.debian.org/tracker/CVE-2023-47169
    https://www.cve.org/CVERecord?id=CVE-2023-47169
[3] https://security-tracker.debian.org/tracker/CVE-2023-47282
    https://www.cve.org/CVERecord?id=CVE-2023-47282
[4] https://security-tracker.debian.org/tracker/CVE-2023-48368
    https://www.cve.org/CVERecord?id=CVE-2023-48368
[5] https://security-tracker.debian.org/tracker/CVE-2023-48727
    https://www.cve.org/CVERecord?id=CVE-2023-48727

Please adjust the affected versions in the BTS as needed.