943967 – (CVE-2015-5198) VUL-0: CVE-2015-5198: libvdpau: incorrect check for security transition

Bug 943967 (CVE-2015-5198) - VUL-0: CVE-2015-5198: libvdpau: incorrect check for security transition

Summary: VUL-0: CVE-2015-5198: libvdpau: incorrect check for security transition

Status:	RESOLVED FIXED

Alias:	CVE-2015-5198

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/154751/
Whiteboard:	CVSSv2:RedHat:CVE-2015-5198:6.2:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-09-01 07:18 UTC by Victor Pereira
Modified:	2017-05-30 10:02 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-09-01 07:18:24 UTC

rh#1253824

libvdpau incorrectly checks if the process underwent a security transition at startup, related to processing of the VDPAU_DRIVER_PATH environment variable.  This may allow local attackers gain additional privileges.

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1253824
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198

Comment 1 Stefan Dirsch 2015-09-01 15:43:03 UTC

openSUSE 13.1/13.2: MR#328377
Factory/TW: SR#328378

Comment 2 Bernhard Wiedemann 2015-09-01 16:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (943967) was mentioned in
https://build.opensuse.org/request/show/328377 13.2+13.1 / libvdpau
https://build.opensuse.org/request/show/328378 Factory / libvdpau

Comment 3 Swamp Workflow Management 2015-09-01 22:00:17 UTC

bugbot adjusting priority

Comment 4 Stefan Dirsch 2015-09-02 04:49:04 UTC

openSUSE 42/Leap: SR#328413

Comment 5 Bernhard Wiedemann 2015-09-02 05:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (943967) was mentioned in
https://build.opensuse.org/request/show/328413 42 / libvdpau

Comment 7 Stefan Dirsch 2015-09-02 11:50:17 UTC

sle-12: SR#66816
sle-11-sp2: SR#66818

Comment 9 Stefan Dirsch 2015-09-02 13:36:04 UTC

Ok. So openSUSE and SLE should be handled by now. Reassigning to security team.

Comment 11 Bernhard Wiedemann 2015-09-02 14:00:18 UTC

This is an autogenerated message for OBS integration:
This bug (943967) was mentioned in
https://build.opensuse.org/request/show/328655 Factory / libvdpau
https://build.opensuse.org/request/show/328656 42 / libvdpau

Comment 12 Bernhard Wiedemann 2015-09-07 11:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (943967) was mentioned in
https://build.opensuse.org/request/show/329483 Factory / libvdpau

Comment 13 Stefan Dirsch 2015-09-08 10:37:11 UTC

Revised SR for sle11-sp2: #67108

Comment 14 Swamp Workflow Management 2015-09-11 07:11:31 UTC

openSUSE-SU-2015:1537-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 943967,943968,943969
CVE References: CVE-2015-5198,CVE-2015-5199,CVE-2015-5200
Sources used:
openSUSE 13.2 (src):    libvdpau-0.8-2.3.1
openSUSE 13.1 (src):    libvdpau-0.6-3.3.1

Comment 16 Swamp Workflow Management 2015-11-03 10:31:54 UTC

SUSE-SU-2015:1892-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 943967,943968,943969
CVE References: CVE-2015-5198,CVE-2015-5199,CVE-2015-5200
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    libvdpau-0.8-3.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libvdpau-0.8-3.1
SUSE Linux Enterprise Server 12 (src):    libvdpau-0.8-3.1
SUSE Linux Enterprise Desktop 12 (src):    libvdpau-0.8-3.1

Comment 17 Swamp Workflow Management 2015-11-06 14:12:17 UTC

SUSE-SU-2015:1925-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 943967,943968,943969
CVE References: CVE-2015-5198,CVE-2015-5199,CVE-2015-5200
Sources used:
SUSE Linux Enterprise Desktop 11-SP4 (src):    libvdpau-0.4.1-16.20.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    libvdpau-0.4.1-16.20.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libvdpau-0.4.1-16.20.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libvdpau-0.4.1-16.20.2

Comment 19 Marcus Meissner 2016-03-22 16:17:20 UTC

released

Comment 20 Bernhard Wiedemann 2017-05-30 10:02:17 UTC

This is an autogenerated message for OBS integration:
This bug (943967) was mentioned in
https://build.opensuse.org/request/show/499646 Factory / libvdpau