← Back to team overview

desktop-packages team mailing list archive

Thread
Date

[Bug 1490826] [NEW] NVIDIA's VDPAU Library Exposed To Security Issue

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: dino99 <1490826@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Sep 2015 05:47:33 -0000
Reply-to: Bug 1490826 <1490826@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

>From a Phoronix post:

http://lists.x.org/archives/xorg-announce/2015-August/002630.html

http://anzwix.com/a/VDPAU/UseSecuregetenv3ToImproveSecurity

NVIDIA released the libvdpau 1.1.1 library today to fix three new CVE
security issues.

Aaron Plattner of NVIDIA announced today:
libvdpau versions 1.1 and earlier, when used in setuid or setgid applications, contain vulnerabilities related to environment variable handling that could allow an attacker to execute arbitrary code or overwrite arbitrary files. See CVE-2015-5198, CVE-2015-5199, and CVE-2015-5200 for more details.

This release uses the secure_getenv() function, when available, to fix
these problems. On platforms where secure_getenv() is not available, the
VDPAU environment variables will not be honored by the library.

The secure_getenv() call is used now rather than getenv() for obtaining
the environment variable values of DRI_PRIME, VDPAU_DRIVER,
VDPAU_DRIVER_PATH, VDPAU_TRACE, and VDPAU_TRACE_FILE, per this commit.
The secure_getenv() call has been present since glibc 2.17 is GNU-
specific and will return null in cases where secure execution is
required, details via the man page.

** Affects: libvdpau (Ubuntu)
Importance: Undecided
Status: New

** Tags: bot-stop-nagging

** Tags added: bot-stop-nagging

** Description changed:

+ From a Phoronix post:
+
http://lists.x.org/archives/xorg-announce/2015-August/002630.html

http://anzwix.com/a/VDPAU/UseSecuregetenv3ToImproveSecurity

NVIDIA released the libvdpau 1.1.1 library today to fix three new CVE
security issues.

- Aaron Plattner of NVIDIA announced today:
- libvdpau versions 1.1 and earlier, when used in setuid or setgid applications, contain vulnerabilities related to environment variable handling that could allow an attacker to execute arbitrary code or overwrite arbitrary files. See CVE-2015-5198, CVE-2015-5199, and CVE-2015-5200 for more details.
+ Aaron Plattner of NVIDIA announced today:
+ libvdpau versions 1.1 and earlier, when used in setuid or setgid applications, contain vulnerabilities related to environment variable handling that could allow an attacker to execute arbitrary code or overwrite arbitrary files. See CVE-2015-5198, CVE-2015-5199, and CVE-2015-5200 for more details.

--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libvdpau in Ubuntu.
https://bugs.launchpad.net/bugs/1490826

Title:
NVIDIA's VDPAU Library Exposed To Security Issue

Status in libvdpau package in Ubuntu:
New

Bug description:
From a Phoronix post:

http://lists.x.org/archives/xorg-announce/2015-August/002630.html

http://anzwix.com/a/VDPAU/UseSecuregetenv3ToImproveSecurity

NVIDIA released the libvdpau 1.1.1 library today to fix three new CVE
security issues.

This release uses the secure_getenv() function, when available, to fix
these problems. On platforms where secure_getenv() is not available,
the VDPAU environment variables will not be honored by the library.

The secure_getenv() call is used now rather than getenv() for
obtaining the environment variable values of DRI_PRIME, VDPAU_DRIVER,
VDPAU_DRIVER_PATH, VDPAU_TRACE, and VDPAU_TRACE_FILE, per this commit.
The secure_getenv() call has been present since glibc 2.17 is GNU-
specific and will return null in cases where secure execution is
required, details via the man page.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvdpau/+bug/1490826/+subscriptions

Follow ups

[Bug 1490826] Re: [CVE] NVIDIA's VDPAU Library Exposed To Security Issue
From: dino99, 2015-09-02
[Bug 1490826] Re: [CVE] NVIDIA's VDPAU Library Exposed To Security Issue
From: dino99, 2015-09-01