Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-07 Thread Luca Boccassi 
On Sep 7, 2015 06:01, "Vincent Cheng"  wrote:
> On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassi  >
> I have pushed to the git repo the backported changes for jessie [1] and
> > wheezy [2]. Alessandro confirmed that the Security Team would like to
> > release a DSA for this [3], so could you please sponsor the upload to
> > security-master when you have time? I added you to the Uploaders in the
> > wheezy branch already.
>
> Uploaded to security-master, thanks for preparing these updated
> packages! It's worth pointing out that adding yourself to uploaders in
> d/control isn't necessary for security uploads, although I suppose it
> doesn't actually make any difference either way.
>
> I'll take a look at the squeeze-lts update next.

Ah sorry, didn't know about the uploaders field, I thought it was like
normal uploads in that regards.

Thanks for taking care of it!

Kind regards,
Luca Boccassi

Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-06 Thread Vincent Cheng 
On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassi  wrote:
> On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote:
>> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi  
>> wrote:
>> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
>> >> Source: libvdpau
>> >> Severity: important
>> >> Tags: security, fixed-upstream
>> >>
>> >> Hi,
>> >>
>> >> the following vulnerabilities were published for libvdpau.
>> >>
>> >> CVE-2015-5198[0]:
>> >> incorrect check for security transition
>> >>
>> >> CVE-2015-5199[1]:
>> >> directory traversal in dlopen
>> >>
>> >> CVE-2015-5200[2]:
>> >> vulnerability in trace functionality
>> >>
>> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
>> >> release.
>> >>
>> >> If you fix the vulnerabilities please also make sure to include the
>> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>> >
>> > Hello Alessandro,
>> >
>> > Thanks for the heads-up!
>> >
>> > Vincent, Andreas,
>> >
>> > I have updated the libvdpau git repo with the new release [1]. I have
>> > tested the amd64 and i386 packages in Jessie, and they seem to work just
>> > fine with vdpauinfo and VLC.
>> >
>> > Could you please review and do a new upload, when you have time?
>> >
>> > Thanks!
>> >
>> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
>>
>> Uploaded, thanks! I'll make a note to myself to update the package in
>> jessie-backports as well. Luca, let me know if you need a sponsor for
>> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
>> don't know if these CVEs warrant a DSA, so ping the security team
>> first with a source debdiff and see what they say, and if they say no
>> then ping the release team instead); thanks for taking care of updates
>> for stable/oldstable/oldoldstable!
>
> Hello Vincent,
>
> Thanks for uploading 1.1.1!
>
> I have pushed to the git repo the backported changes for jessie [1] and
> wheezy [2]. Alessandro confirmed that the Security Team would like to
> release a DSA for this [3], so could you please sponsor the upload to
> security-master when you have time? I added you to the Uploaders in the
> wheezy branch already.

Uploaded to security-master, thanks for preparing these updated
packages! It's worth pointing out that adding yourself to uploaders in
d/control isn't necessary for security uploads, although I suppose it
doesn't actually make any difference either way.

I'll take a look at the squeeze-lts update next.

Regards,
Vincent

Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-05 Thread Luca Boccassi 
On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
> 
> Hi,
> 
> the following vulnerabilities were published for libvdpau.
> 
> CVE-2015-5198[0]:
> incorrect check for security transition
> 
> CVE-2015-5199[1]:
> directory traversal in dlopen
> 
> CVE-2015-5200[2]:
> vulnerability in trace functionality
> 
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2015-5198
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> [1] https://security-tracker.debian.org/tracker/CVE-2015-5199
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> [2] https://security-tracker.debian.org/tracker/CVE-2015-5200
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> [3] 
> http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4

Dear Alessandro and dear Security Team,

I have backported the upstream patch for the aforementioned CVEs to
jessie, wheezy and squeeze. I have attached the debdiffs for review.

I have verified they all build in amd64 and i386 chroots.

I have verified that the jessie and wheezy amd64 packages work using
"vdpauinfo".

Due to the need of a bare-metal installation (direct access to Nvidia
GPU is required), I have _NOT_ tested other architecture for jessie and
wheezy, and I have _NOT_ tested the squeeze build at all, because I do
not possess hardware capable of running with squeeze drivers, but given
the fact that it's the same upstream version as the wheezy build I am
reasonably confident it should work.

Two questions for you:

1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
should I go through the proposed-updates route and ping the release team
instead?
2) If the answer to 1) is yes, does this apply to squeeze as well or
should I work with debian-lts team instead?

Thank you!

Kind regards,
Luca Boccassi
diff -Nru libvdpau-0.8/debian/changelog libvdpau-0.8/debian/changelog
--- libvdpau-0.8/debian/changelog	2014-10-19 21:23:00.0 +0100
+++ libvdpau-0.8/debian/changelog	2015-09-05 11:34:04.0 +0100
@@ -1,3 +1,12 @@
+libvdpau (0.8-3+deb8u1) jessie-security; urgency=high
+
+  * Patch for CVE 2015-5198, 2015-5199, 2015-5200
+- Use secure_getenv(3) to improve security
+  (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
+  * Add myself to Uploaders
+
+ -- Luca Boccassi   Fri, 04 Sep 2015 23:23:40 +0100
+
 libvdpau (0.8-3) unstable; urgency=medium
 
   * Add a bug-script to collect some driver information.
diff -Nru libvdpau-0.8/debian/control libvdpau-0.8/debian/control
--- libvdpau-0.8/debian/control	2014-10-19 21:23:00.0 +0100
+++ libvdpau-0.8/debian/control	2015-09-05 11:34:04.0 +0100
@@ -6,7 +6,8 @@
  Jean-Yves Avenard ,
  Russ Allbery ,
  Andreas Beckmann ,
- Vincent Cheng 
+ Vincent Cheng ,
+ Luca Boccassi 
 Build-Depends:
  debhelper (>= 9),
  dh-autoreconf,
diff -Nru libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch
--- libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch	1970-01-01 01:00:00.0 +0100
+++ libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch	2015-09-05 11:34:04.0 +0100
@@ -0,0 +1,256 @@
+From: José Hiram Soltren 
+Date: Mon, 17 Aug 2015 16:01:44 -0500
+Subject: Use secure_getenv(3) to improve security
+
+This patch is in response to the following security vulnerabilities
+(CVEs) reported to NVIDIA against libvdpau:
+
+CVE-2015-5198
+CVE-2015-5199
+CVE-2015-5200
+
+To address these CVEs, this patch:
+
+- replaces all uses of getenv(3) with secure_getenv(3);
+- uses secure_getenv(3) when available, with a fallback option;
+- protects VDPAU_DRIVER against directory traversal by checking for '/'
+
+On platforms where secure_getenv(3) is not available, the C preprocessor
+will print a warning at compile time. Then, a preprocessor macro will
+replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
+
+  getuid() == geteuid() && getgid() == getegid()
+
+See getuid(2) and getgid(2) for further details.
+
+Signed-off-by: Aaron Plattner 
+Reviewed-by: Florian Weimer 
+---
+ configure.ac  |  4 
+ src/Makefile.am   |  1 +
+ src/mesa_dri2.c   |  6 --
+ src/util.h| 48 
+ src/vdpau_wrapper.c   | 28

Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-05 Thread Alessandro Ghedini 
On Sat, Sep 05, 2015 at 12:55:43PM +0100, Luca Boccassi wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> > Source: libvdpau
> > Severity: important
> > Tags: security, fixed-upstream
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for libvdpau.
> > 
> > CVE-2015-5198[0]:
> > incorrect check for security transition
> > 
> > CVE-2015-5199[1]:
> > directory traversal in dlopen
> > 
> > CVE-2015-5200[2]:
> > vulnerability in trace functionality
> > 
> > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> > release.
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2015-5198
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> > [1] https://security-tracker.debian.org/tracker/CVE-2015-5199
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> > [2] https://security-tracker.debian.org/tracker/CVE-2015-5200
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> > [3] 
> > http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4
> 
> Dear Alessandro and dear Security Team,
> 
> I have backported the upstream patch for the aforementioned CVEs to
> jessie, wheezy and squeeze. I have attached the debdiffs for review.
> 
> I have verified they all build in amd64 and i386 chroots.
> 
> I have verified that the jessie and wheezy amd64 packages work using
> "vdpauinfo".
> 
> Due to the need of a bare-metal installation (direct access to Nvidia
> GPU is required), I have _NOT_ tested other architecture for jessie and
> wheezy, and I have _NOT_ tested the squeeze build at all, because I do
> not possess hardware capable of running with squeeze drivers, but given
> the fact that it's the same upstream version as the wheezy build I am
> reasonably confident it should work.
> 
> Two questions for you:
> 
> 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
> should I go through the proposed-updates route and ping the release team
> instead?

Yeah, we intend to release a DSA for this. The jessie and wheezy diffs look
good, so please go ahead and upload them to security-master. Note that they
both need to be built with the -sa dpkg-buildpackage flag, since these would
be the first jessie and wheezy security uploads for the package.

> 2) If the answer to 1) is yes, does this apply to squeeze as well or
> should I work with debian-lts team instead?

Yeah, you need to contact the LTS people for squeeze.

Thanks for your help.

Cheers


signature.asc
Description: Digital signature

Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-05 Thread Luca Boccassi 
On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote:
> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi  wrote:
> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> >> Source: libvdpau
> >> Severity: important
> >> Tags: security, fixed-upstream
> >>
> >> Hi,
> >>
> >> the following vulnerabilities were published for libvdpau.
> >>
> >> CVE-2015-5198[0]:
> >> incorrect check for security transition
> >>
> >> CVE-2015-5199[1]:
> >> directory traversal in dlopen
> >>
> >> CVE-2015-5200[2]:
> >> vulnerability in trace functionality
> >>
> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> >> release.
> >>
> >> If you fix the vulnerabilities please also make sure to include the
> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> >
> > Hello Alessandro,
> >
> > Thanks for the heads-up!
> >
> > Vincent, Andreas,
> >
> > I have updated the libvdpau git repo with the new release [1]. I have
> > tested the amd64 and i386 packages in Jessie, and they seem to work just
> > fine with vdpauinfo and VLC.
> >
> > Could you please review and do a new upload, when you have time?
> >
> > Thanks!
> >
> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
> 
> Uploaded, thanks! I'll make a note to myself to update the package in
> jessie-backports as well. Luca, let me know if you need a sponsor for
> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
> don't know if these CVEs warrant a DSA, so ping the security team
> first with a source debdiff and see what they say, and if they say no
> then ping the release team instead); thanks for taking care of updates
> for stable/oldstable/oldoldstable!

Hello Vincent,

Thanks for uploading 1.1.1!

I have pushed to the git repo the backported changes for jessie [1] and
wheezy [2]. Alessandro confirmed that the Security Team would like to
release a DSA for this [3], so could you please sponsor the upload to
security-master when you have time? I added you to the Uploaders in the
wheezy branch already.

Thanks!

Kind regards,
Luca Boccassi

[1] 
https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=jessie-security
[2] 
https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=wheezy-security
[3] 
http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/2015-September/011509.html


signature.asc
Description: This is a digitally signed message part

Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-03 Thread Luca Boccassi 
On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
> 
> Hi,
> 
> the following vulnerabilities were published for libvdpau.
> 
> CVE-2015-5198[0]:
> incorrect check for security transition
> 
> CVE-2015-5199[1]:
> directory traversal in dlopen
> 
> CVE-2015-5200[2]:
> vulnerability in trace functionality
> 
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Hello Alessandro,

Thanks for the heads-up!

Vincent, Andreas,

I have updated the libvdpau git repo with the new release [1]. I have
tested the amd64 and i386 packages in Jessie, and they seem to work just
fine with vdpauinfo and VLC.

Could you please review and do a new upload, when you have time?

Thanks!

Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.

Kind regards,
Luca Boccassi

[1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git


signature.asc
Description: This is a digitally signed message part

Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-03 Thread Alessandro Ghedini 
Source: libvdpau
Severity: important
Tags: security, fixed-upstream

Hi,

the following vulnerabilities were published for libvdpau.

CVE-2015-5198[0]:
incorrect check for security transition

CVE-2015-5199[1]:
directory traversal in dlopen

CVE-2015-5200[2]:
vulnerability in trace functionality

All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
release.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
[1] https://security-tracker.debian.org/tracker/CVE-2015-5199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
[2] https://security-tracker.debian.org/tracker/CVE-2015-5200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
[3] 
http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4

Please adjust the affected versions in the BTS as needed.

Cheers


signature.asc
Description: Digital signature

Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

2015-09-03 Thread Vincent Cheng 
On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi  wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
>> Source: libvdpau
>> Severity: important
>> Tags: security, fixed-upstream
>>
>> Hi,
>>
>> the following vulnerabilities were published for libvdpau.
>>
>> CVE-2015-5198[0]:
>> incorrect check for security transition
>>
>> CVE-2015-5199[1]:
>> directory traversal in dlopen
>>
>> CVE-2015-5200[2]:
>> vulnerability in trace functionality
>>
>> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
>> release.
>>
>> If you fix the vulnerabilities please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> Hello Alessandro,
>
> Thanks for the heads-up!
>
> Vincent, Andreas,
>
> I have updated the libvdpau git repo with the new release [1]. I have
> tested the amd64 and i386 packages in Jessie, and they seem to work just
> fine with vdpauinfo and VLC.
>
> Could you please review and do a new upload, when you have time?
>
> Thanks!
>
> Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.

Uploaded, thanks! I'll make a note to myself to update the package in
jessie-backports as well. Luca, let me know if you need a sponsor for
the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
don't know if these CVEs warrant a DSA, so ping the security team
first with a source debdiff and see what they say, and if they say no
then ping the release team instead); thanks for taking care of updates
for stable/oldstable/oldoldstable!

Regards,
Vincent