Bug 16687

Summary: libvdpau new security issues CVE-2015-5198, CVE-2015-5199, and CVE-2015-5200
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tarazed25, yann.cantin
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/656661/
Whiteboard: MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK
Source RPM: libvdpau-0.9-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-02 16:33:13 CEST 
Upstream has released version 1.1.1 on August 31, fixing security issues:
http://lists.x.org/archives/xorg-announce/2015-August/002630.html

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated libvdpau packages fix security vulnerabilities:

libvdpau versions 1.1 and earlier, when used in setuid or setgid applications,
contain vulnerabilities related to environment variable handling that could
allow an attacker to execute arbitrary code or overwrite arbitrary files
(CVE-2015-5198, CVE-2015-5199, and CVE-2015-5200).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
http://lists.x.org/archives/xorg-announce/2015-August/002630.html
========================

Updated packages in core/updates_testing:
========================
libvdpau1-1.1.1-1.mga4
libvdpau-trace-1.1.1-1.mga4
libvdpau-devel-1.1.1-1.mga4
libvdpau1-1.1.1-1.mga5
libvdpau-trace-1.1.1-1.mga5
libvdpau-devel-1.1.1-1.mga5

from SRPMS:
libvdpau-1.1.1-1.mga4.src.rpm
libvdpau-1.1.1-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-09-02 16:33:20 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-09-04 16:21:56 CEST 
Ubuntu has issued an advisory for this on September 3:
http://www.ubuntu.com/usn/usn-2729-1/
David Walser 2015-09-04 22:47:51 CEST

URL: (none) => http://lwn.net/Vulnerabilities/656661/

Comment 2 Yann Cantin 2015-09-12 23:33:09 CEST 
mga5 x86_64 NVIDIA GF104 [GeForce GTX 460]

Installed packages :
lib64vdpau-devel-1.1.1-1.mga5
lib64vdpau1-1.1.1-1.mga5

Running : mplayer -vo vdpau test.mkv
VO: [vdpau] 1920x1080 => 1920x1080 Planar YV12  [zoom]

Display and cpu usage OK.

Update OK.

CC: (none) => yann.cantin
Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK

Comment 3 Len Lawrence 2015-09-13 17:53:35 CEST 
mga4 i586 virtualbox (GeForce GTX 770)

[lcl@alcor ~]$ mplayer -vo vdpau test2.mkv
MPlayer SVN-3.r36361.3.mga4.tainted-4.8.2 (C) 2000-2013 MPlayer Team
Playing test2.mkv.
libavformat version 55.12.100 (external)
libavformat file format detected.
[lavf] stream 0: video (h264), -vid 0
[lavf] stream 1: audio (aac), -aid 0
VIDEO:  [H264]  1024x576  0bpp  24.000 fps    0.0 kbps ( 0.0 kbyte/s)
Clip info:
 creation_time: 2011-06-02 12:45:20
 TITLE: Elephant Dream - test 2
 DATE_RELEASED: 2010
 COMMENT: Matroska Validation File 2, 100,000 timecode scale, odd aspect ratio, and CRC-32. Codecs are AVC and AAC
Load subtitles in ./
Failed to open VDPAU backend libvdpau_nvidia.so: cannot open shared object file: No such file or directory
[vdpau] Error when calling vdp_device_create_x11: 1

[lcl@alcor ~]$ locate vdpau
/usr/lib/libvdpau.so.1
/usr/lib/libvdpau.so.1.0.0
/usr/lib/vdpau
/usr/lib/directfb-1.7-0/gfxdrivers/libdirectfb_vdpau.so
/usr/lib/directfb-1.7-0/systems/libdirectfb_x11vdpau.so
/usr/lib/gstreamer-1.0/libgstvdpau.so
/usr/lib/vlc/plugins/codec/libvdpau_plugin.so

Played the test file in vlc to confirm that it was valid:
Elephant Dream - test 2
Video:
codec H264 - MPEG-4 AVC (part 10) (avc1)
resolution 1024x576
frame rate 24.0...
decoded format: Planar 4:2:0 YUV

[lcl@alcor ~]$ sudo urpmi libvdpau_nvidia
No package named libvdpau_nvidia

Is this a problem with nvidia proprietary driver and 32-bit architecture?
It certainly plays fine in x86_64 on the host system, mga5 pre-update.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2015-09-13 18:24:18 CEST 
Testing in virtualbox mga4 x86_64

mplayer cannot find the vdpau nvidia backend pre-update.
After the update the same applies and it is not in the /usr/lib64/vdpau directory either.  So maybe it has something to do with virtualbox?
Comment 5 David Walser 2015-09-13 18:25:07 CEST 
(In reply to Len Lawrence from comment #3)
> Failed to open VDPAU backend libvdpau_nvidia.so: cannot open shared object
> file: No such file or directory

That file is probably in the proprietary nvidia module package (in nonfree).  I read something that said only the proprietary nvidia module actually truly makes use of vdpau on Linux.
Comment 6 Len Lawrence 2015-09-13 19:47:14 CEST 
That seems likely.  Is it possible to install a nonfree version for virtualbox?  I cannot even find nvidia-settings in this vbox so presumably that is part of the package.

Anyway, not to worry; I discovered that one of my test machines has mga4 x86_64 installed.  Testing on that and all is well.

mga4 x86_64 real hardware - GeForce 310
nvidia 331.113
With the update installed mplayer had no problem with the Matroska test file and posted the same information as referenced in comment 3.
And I noted that here are several locations for the vdpau backend.
Len Lawrence 2015-09-13 19:48:07 CEST

Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA4-64-OK has_procedure

Comment 7 Len Lawrence 2015-09-13 20:00:05 CEST 
Sorry, getting all muddled here.  Forget comment 3.  This is the information that was returned.

[lcl@altair ~]$ mplayer -vo vdpau test2.mkv
MPlayer SVN-3.r36361.3.mga4-4.8.2 (C) 2000-2013 MPlayer Team
Playing test2.mkv.
libavformat version 55.12.100 (external)
libavformat file format detected.
[lavf] stream 0: video (h264), -vid 0
[lavf] stream 1: audio (aac), -aid 0
VIDEO:  [H264]  1024x576  0bpp  24.000 fps    0.0 kbps ( 0.0 kbyte/s)
Clip info:
 creation_time: 2011-06-02 12:45:20
 TITLE: Elephant Dream - test 2
 DATE_RELEASED: 2010
 COMMENT: Matroska Validation File 2, 100,000 timecode scale, odd aspect ratio, and CRC-32. Codecs are AVC and AAC
Comment 8 claire robinson 2015-09-13 22:03:50 CEST 
This is one which can't be tested inside virtualbox.

Validating. Advisory uploaded.

Please push to 4 & 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA5-64-OK MGA4-64-OK has_procedure => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-09-13 23:59:35 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0364.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED