Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
On Sep 7, 2015 06:01, "Vincent Cheng"wrote: > On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassi > > I have pushed to the git repo the backported changes for jessie [1] and > > wheezy [2]. Alessandro confirmed that the Security Team would like to > > release a DSA for this [3], so could you please sponsor the upload to > > security-master when you have time? I added you to the Uploaders in the > > wheezy branch already. > > Uploaded to security-master, thanks for preparing these updated > packages! It's worth pointing out that adding yourself to uploaders in > d/control isn't necessary for security uploads, although I suppose it > doesn't actually make any difference either way. > > I'll take a look at the squeeze-lts update next. Ah sorry, didn't know about the uploaders field, I thought it was like normal uploads in that regards. Thanks for taking care of it! Kind regards, Luca Boccassi
Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassiwrote: > On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote: >> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi >> wrote: >> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: >> >> Source: libvdpau >> >> Severity: important >> >> Tags: security, fixed-upstream >> >> >> >> Hi, >> >> >> >> the following vulnerabilities were published for libvdpau. >> >> >> >> CVE-2015-5198[0]: >> >> incorrect check for security transition >> >> >> >> CVE-2015-5199[1]: >> >> directory traversal in dlopen >> >> >> >> CVE-2015-5200[2]: >> >> vulnerability in trace functionality >> >> >> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream >> >> release. >> >> >> >> If you fix the vulnerabilities please also make sure to include the >> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. >> > >> > Hello Alessandro, >> > >> > Thanks for the heads-up! >> > >> > Vincent, Andreas, >> > >> > I have updated the libvdpau git repo with the new release [1]. I have >> > tested the amd64 and i386 packages in Jessie, and they seem to work just >> > fine with vdpauinfo and VLC. >> > >> > Could you please review and do a new upload, when you have time? >> > >> > Thanks! >> > >> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze. >> >> Uploaded, thanks! I'll make a note to myself to update the package in >> jessie-backports as well. Luca, let me know if you need a sponsor for >> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I >> don't know if these CVEs warrant a DSA, so ping the security team >> first with a source debdiff and see what they say, and if they say no >> then ping the release team instead); thanks for taking care of updates >> for stable/oldstable/oldoldstable! > > Hello Vincent, > > Thanks for uploading 1.1.1! > > I have pushed to the git repo the backported changes for jessie [1] and > wheezy [2]. Alessandro confirmed that the Security Team would like to > release a DSA for this [3], so could you please sponsor the upload to > security-master when you have time? I added you to the Uploaders in the > wheezy branch already. Uploaded to security-master, thanks for preparing these updated packages! It's worth pointing out that adding yourself to uploaders in d/control isn't necessary for security uploads, although I suppose it doesn't actually make any difference either way. I'll take a look at the squeeze-lts update next. Regards, Vincent
Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: > Source: libvdpau > Severity: important > Tags: security, fixed-upstream > > Hi, > > the following vulnerabilities were published for libvdpau. > > CVE-2015-5198[0]: > incorrect check for security transition > > CVE-2015-5199[1]: > directory traversal in dlopen > > CVE-2015-5200[2]: > vulnerability in trace functionality > > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream > release. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2015-5198 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198 > [1] https://security-tracker.debian.org/tracker/CVE-2015-5199 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199 > [2] https://security-tracker.debian.org/tracker/CVE-2015-5200 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200 > [3] > http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 Dear Alessandro and dear Security Team, I have backported the upstream patch for the aforementioned CVEs to jessie, wheezy and squeeze. I have attached the debdiffs for review. I have verified they all build in amd64 and i386 chroots. I have verified that the jessie and wheezy amd64 packages work using "vdpauinfo". Due to the need of a bare-metal installation (direct access to Nvidia GPU is required), I have _NOT_ tested other architecture for jessie and wheezy, and I have _NOT_ tested the squeeze build at all, because I do not possess hardware capable of running with squeeze drivers, but given the fact that it's the same upstream version as the wheezy build I am reasonably confident it should work. Two questions for you: 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or should I go through the proposed-updates route and ping the release team instead? 2) If the answer to 1) is yes, does this apply to squeeze as well or should I work with debian-lts team instead? Thank you! Kind regards, Luca Boccassi diff -Nru libvdpau-0.8/debian/changelog libvdpau-0.8/debian/changelog --- libvdpau-0.8/debian/changelog 2014-10-19 21:23:00.0 +0100 +++ libvdpau-0.8/debian/changelog 2015-09-05 11:34:04.0 +0100 @@ -1,3 +1,12 @@ +libvdpau (0.8-3+deb8u1) jessie-security; urgency=high + + * Patch for CVE 2015-5198, 2015-5199, 2015-5200 +- Use secure_getenv(3) to improve security + (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895. + * Add myself to Uploaders + + -- Luca BoccassiFri, 04 Sep 2015 23:23:40 +0100 + libvdpau (0.8-3) unstable; urgency=medium * Add a bug-script to collect some driver information. diff -Nru libvdpau-0.8/debian/control libvdpau-0.8/debian/control --- libvdpau-0.8/debian/control 2014-10-19 21:23:00.0 +0100 +++ libvdpau-0.8/debian/control 2015-09-05 11:34:04.0 +0100 @@ -6,7 +6,8 @@ Jean-Yves Avenard , Russ Allbery , Andreas Beckmann , - Vincent Cheng + Vincent Cheng , + Luca Boccassi Build-Depends: debhelper (>= 9), dh-autoreconf, diff -Nru libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch --- libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch 1970-01-01 01:00:00.0 +0100 +++ libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch 2015-09-05 11:34:04.0 +0100 @@ -0,0 +1,256 @@ +From: José Hiram Soltren +Date: Mon, 17 Aug 2015 16:01:44 -0500 +Subject: Use secure_getenv(3) to improve security + +This patch is in response to the following security vulnerabilities +(CVEs) reported to NVIDIA against libvdpau: + +CVE-2015-5198 +CVE-2015-5199 +CVE-2015-5200 + +To address these CVEs, this patch: + +- replaces all uses of getenv(3) with secure_getenv(3); +- uses secure_getenv(3) when available, with a fallback option; +- protects VDPAU_DRIVER against directory traversal by checking for '/' + +On platforms where secure_getenv(3) is not available, the C preprocessor +will print a warning at compile time. Then, a preprocessor macro will +replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check: + + getuid() == geteuid() && getgid() == getegid() + +See getuid(2) and getgid(2) for further details. + +Signed-off-by: Aaron Plattner +Reviewed-by: Florian Weimer +--- + configure.ac | 4 + src/Makefile.am | 1 + + src/mesa_dri2.c | 6 -- + src/util.h| 48 + src/vdpau_wrapper.c | 28
Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
On Sat, Sep 05, 2015 at 12:55:43PM +0100, Luca Boccassi wrote: > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: > > Source: libvdpau > > Severity: important > > Tags: security, fixed-upstream > > > > Hi, > > > > the following vulnerabilities were published for libvdpau. > > > > CVE-2015-5198[0]: > > incorrect check for security transition > > > > CVE-2015-5199[1]: > > directory traversal in dlopen > > > > CVE-2015-5200[2]: > > vulnerability in trace functionality > > > > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream > > release. > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2015-5198 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198 > > [1] https://security-tracker.debian.org/tracker/CVE-2015-5199 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199 > > [2] https://security-tracker.debian.org/tracker/CVE-2015-5200 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200 > > [3] > > http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 > > Dear Alessandro and dear Security Team, > > I have backported the upstream patch for the aforementioned CVEs to > jessie, wheezy and squeeze. I have attached the debdiffs for review. > > I have verified they all build in amd64 and i386 chroots. > > I have verified that the jessie and wheezy amd64 packages work using > "vdpauinfo". > > Due to the need of a bare-metal installation (direct access to Nvidia > GPU is required), I have _NOT_ tested other architecture for jessie and > wheezy, and I have _NOT_ tested the squeeze build at all, because I do > not possess hardware capable of running with squeeze drivers, but given > the fact that it's the same upstream version as the wheezy build I am > reasonably confident it should work. > > Two questions for you: > > 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or > should I go through the proposed-updates route and ping the release team > instead? Yeah, we intend to release a DSA for this. The jessie and wheezy diffs look good, so please go ahead and upload them to security-master. Note that they both need to be built with the -sa dpkg-buildpackage flag, since these would be the first jessie and wheezy security uploads for the package. > 2) If the answer to 1) is yes, does this apply to squeeze as well or > should I work with debian-lts team instead? Yeah, you need to contact the LTS people for squeeze. Thanks for your help. Cheers signature.asc Description: Digital signature
Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote: > On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassiwrote: > > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: > >> Source: libvdpau > >> Severity: important > >> Tags: security, fixed-upstream > >> > >> Hi, > >> > >> the following vulnerabilities were published for libvdpau. > >> > >> CVE-2015-5198[0]: > >> incorrect check for security transition > >> > >> CVE-2015-5199[1]: > >> directory traversal in dlopen > >> > >> CVE-2015-5200[2]: > >> vulnerability in trace functionality > >> > >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream > >> release. > >> > >> If you fix the vulnerabilities please also make sure to include the > >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > Hello Alessandro, > > > > Thanks for the heads-up! > > > > Vincent, Andreas, > > > > I have updated the libvdpau git repo with the new release [1]. I have > > tested the amd64 and i386 packages in Jessie, and they seem to work just > > fine with vdpauinfo and VLC. > > > > Could you please review and do a new upload, when you have time? > > > > Thanks! > > > > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze. > > Uploaded, thanks! I'll make a note to myself to update the package in > jessie-backports as well. Luca, let me know if you need a sponsor for > the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I > don't know if these CVEs warrant a DSA, so ping the security team > first with a source debdiff and see what they say, and if they say no > then ping the release team instead); thanks for taking care of updates > for stable/oldstable/oldoldstable! Hello Vincent, Thanks for uploading 1.1.1! I have pushed to the git repo the backported changes for jessie [1] and wheezy [2]. Alessandro confirmed that the Security Team would like to release a DSA for this [3], so could you please sponsor the upload to security-master when you have time? I added you to the Uploaders in the wheezy branch already. Thanks! Kind regards, Luca Boccassi [1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=jessie-security [2] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=wheezy-security [3] http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/2015-September/011509.html signature.asc Description: This is a digitally signed message part
Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: > Source: libvdpau > Severity: important > Tags: security, fixed-upstream > > Hi, > > the following vulnerabilities were published for libvdpau. > > CVE-2015-5198[0]: > incorrect check for security transition > > CVE-2015-5199[1]: > directory traversal in dlopen > > CVE-2015-5200[2]: > vulnerability in trace functionality > > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream > release. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. Hello Alessandro, Thanks for the heads-up! Vincent, Andreas, I have updated the libvdpau git repo with the new release [1]. I have tested the amd64 and i386 packages in Jessie, and they seem to work just fine with vdpauinfo and VLC. Could you please review and do a new upload, when you have time? Thanks! Tomorrow I'll look into backporting the fix to Wheezy and Squeeze. Kind regards, Luca Boccassi [1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git signature.asc Description: This is a digitally signed message part
Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
Source: libvdpau Severity: important Tags: security, fixed-upstream Hi, the following vulnerabilities were published for libvdpau. CVE-2015-5198[0]: incorrect check for security transition CVE-2015-5199[1]: directory traversal in dlopen CVE-2015-5200[2]: vulnerability in trace functionality All of them are fixed by the patch [3], shipped in the 1.1.1 upstream release. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-5198 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198 [1] https://security-tracker.debian.org/tracker/CVE-2015-5199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199 [2] https://security-tracker.debian.org/tracker/CVE-2015-5200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200 [3] http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 Please adjust the affected versions in the BTS as needed. Cheers signature.asc Description: Digital signature
Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200
On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassiwrote: > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: >> Source: libvdpau >> Severity: important >> Tags: security, fixed-upstream >> >> Hi, >> >> the following vulnerabilities were published for libvdpau. >> >> CVE-2015-5198[0]: >> incorrect check for security transition >> >> CVE-2015-5199[1]: >> directory traversal in dlopen >> >> CVE-2015-5200[2]: >> vulnerability in trace functionality >> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream >> release. >> >> If you fix the vulnerabilities please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > Hello Alessandro, > > Thanks for the heads-up! > > Vincent, Andreas, > > I have updated the libvdpau git repo with the new release [1]. I have > tested the amd64 and i386 packages in Jessie, and they seem to work just > fine with vdpauinfo and VLC. > > Could you please review and do a new upload, when you have time? > > Thanks! > > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze. Uploaded, thanks! I'll make a note to myself to update the package in jessie-backports as well. Luca, let me know if you need a sponsor for the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I don't know if these CVEs warrant a DSA, so ping the security team first with a source debdiff and see what they say, and if they say no then ping the release team instead); thanks for taking care of updates for stable/oldstable/oldoldstable! Regards, Vincent