libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Debian Bug report logs - #797895
libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: submit@bugs.debian.org

Subject: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Thu, 3 Sep 2015 14:49:50 +0200

[Message part 1 (text/plain, inline)]

Source: libvdpau
Severity: important
Tags: security, fixed-upstream

Hi,

the following vulnerabilities were published for libvdpau.

CVE-2015-5198[0]:
incorrect check for security transition

CVE-2015-5199[1]:
directory traversal in dlopen

CVE-2015-5200[2]:
vulnerability in trace functionality

All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
release.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5198
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
[1] https://security-tracker.debian.org/tracker/CVE-2015-5199
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
[2] https://security-tracker.debian.org/tracker/CVE-2015-5200
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
[3] http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4

Please adjust the affected versions in the BTS as needed.

Cheers

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 797895@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: Alessandro Ghedini <ghedo@debian.org>, 797895@bugs.debian.org

Subject: Re: Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Fri, 04 Sep 2015 01:24:07 +0100

[Message part 1 (text/plain, inline)]

On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
> 
> Hi,
> 
> the following vulnerabilities were published for libvdpau.
> 
> CVE-2015-5198[0]:
> incorrect check for security transition
> 
> CVE-2015-5199[1]:
> directory traversal in dlopen
> 
> CVE-2015-5200[2]:
> vulnerability in trace functionality
> 
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Hello Alessandro,

Thanks for the heads-up!

Vincent, Andreas,

I have updated the libvdpau git repo with the new release [1]. I have
tested the amd64 and i386 packages in Jessie, and they seem to work just
fine with vdpauinfo and VLC.

Could you please review and do a new upload, when you have time?

Thanks!

Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.

Kind regards,
Luca Boccassi

[1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 797895@bugs.debian.org (full text, mbox, reply):

From: Vincent Cheng <vcheng@debian.org>

To: Luca Boccassi <luca.boccassi@gmail.com>

Cc: Alessandro Ghedini <ghedo@debian.org>, 797895@bugs.debian.org

Subject: Re: Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Thu, 3 Sep 2015 22:40:37 -0700

On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi@gmail.com> wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
>> Source: libvdpau
>> Severity: important
>> Tags: security, fixed-upstream
>>
>> Hi,
>>
>> the following vulnerabilities were published for libvdpau.
>>
>> CVE-2015-5198[0]:
>> incorrect check for security transition
>>
>> CVE-2015-5199[1]:
>> directory traversal in dlopen
>>
>> CVE-2015-5200[2]:
>> vulnerability in trace functionality
>>
>> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
>> release.
>>
>> If you fix the vulnerabilities please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> Hello Alessandro,
>
> Thanks for the heads-up!
>
> Vincent, Andreas,
>
> I have updated the libvdpau git repo with the new release [1]. I have
> tested the amd64 and i386 packages in Jessie, and they seem to work just
> fine with vdpauinfo and VLC.
>
> Could you please review and do a new upload, when you have time?
>
> Thanks!
>
> Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.

Uploaded, thanks! I'll make a note to myself to update the package in
jessie-backports as well. Luca, let me know if you need a sponsor for
the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
don't know if these CVEs warrant a DSA, so ping the security team
first with a source debdiff and see what they say, and if they say no
then ping the release team instead); thanks for taking care of updates
for stable/oldstable/oldoldstable!

Regards,
Vincent

Message #22 received at 797895-close@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: 797895-close@bugs.debian.org

Subject: Bug#797895: fixed in libvdpau 1.1.1-1

Date: Fri, 04 Sep 2015 05:49:22 +0000

Source: libvdpau
Source-Version: 1.1.1-1

We believe that the bug you reported is fixed in the latest version of
libvdpau, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Boccassi <luca.boccassi@gmail.com> (supplier of updated libvdpau package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu,  3 Sep 2015 22:34:32 PDT
Source: libvdpau
Binary: libvdpau-dev libvdpau1 libvdpau-doc libvdpau1-dbg
Architecture: source all
Version: 1.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Changed-By: Luca Boccassi <luca.boccassi@gmail.com>
Description: 
 libvdpau-dev - Video Decode and Presentation API for Unix (development files)
 libvdpau1 - Video Decode and Presentation API for Unix (libraries)
 libvdpau-doc - Video Decode and Presentation API for Unix (documentation)
 libvdpau1-dbg - Video Decode and Presentation API for Unix (debug symbols)
Closes: 797895
Changes:
 libvdpau (1.1.1-1) unstable; urgency=medium
 .
   [ Andreas Beckmann ]
   * simplify d/rules
 .
   [ Luca Boccassi ]
   * New upstream release.
     - Use secure_getenv(3) to improve security
       (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
   * Do not check for pdftex, removed upstream
   * Add myself to Uploaders
   * Refresh dlopen-path patch, upstream changes
   * Refresh patch module-searchpath, upstream changes
Checksums-Sha256: 
 fe5b3cd9d022f824fba101c474ef86a24acbe7d8994bd5b0706d90985ede088d 2339 libvdpau_1.1.1-1.dsc
 857a01932609225b9a3a5bf222b85e39b55c08787d0ad427dbd9ec033d58d736 429576 libvdpau_1.1.1.orig.tar.bz2
 044e508aeb0dec2878341da763b58c81b7605b63800b04a80a3f2dbeab658352 14932 libvdpau_1.1.1-1.debian.tar.xz
 c754644c0af7c01daabf504fb14f98af53b2d4a6689539d52fbc3bace38ad238 409572 libvdpau-doc_1.1.1-1_all.deb
Checksums-Sha1: 
 699f52e1c2056668e5dddc4e6f06c7b95b2a905a 2339 libvdpau_1.1.1-1.dsc
 86516e2a962fd34f65d49115d6ddf15fd912f579 429576 libvdpau_1.1.1.orig.tar.bz2
 4cd5b302d682bc415ab8aa9debe61971aaaa7e15 14932 libvdpau_1.1.1-1.debian.tar.xz
 47116117b312e5c3b00c23e332a70dd353635900 409572 libvdpau-doc_1.1.1-1_all.deb
Files: 
 edbb54e243720360aae3c70b42bdcb6f 2339 libs optional libvdpau_1.1.1-1.dsc
 2fa0b05a4f4d06791eec83bc9c854d14 429576 libs optional libvdpau_1.1.1.orig.tar.bz2
 fd199d551de59204cf280857b53a206e 14932 libs optional libvdpau_1.1.1-1.debian.tar.xz
 6370c32f8b7e1bff67e8f324b54729f1 409572 doc optional libvdpau-doc_1.1.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV6S1uAAoJEI7tzBuqHzL/CFUQALsneMS++jfLLg/JoUFvFdZX
7zvUGRLqQ3Geg8sJxySAAyR9EYgLIaDqLcIBiuXioZ7rbSi+x1BEwUjDOJ+vS/MS
KhG6gRUp/TGPPiL26zrCOTX04g5RfOWnmlmMejjJ9/5vxMIP8I0aHkkgl5Za4Crc
Lwq7x+nJo/p03LJAfBmxEzEl7MJ+p9NysH3lovKpaAW3RvjL9YntzEBOdV1MKrj7
x3+wYByWLf6vGqBMiF8KsX2QlQocAwtnTroC3Gn7/lJMH50t8xcl5Lg2+4xq8u+c
2cvvvv0674ymlEUcXc19gOCD0ElTLm9UwZuyWDTWOw+JS0Ml0FdPNKS8D6+lNXLz
tEivZvRRt9vIkuddKvHAzQVhp9Wib4iMRsWDlQoZhJVE5NeUrRjU9LLj+c1llKlW
+xF1eDEdclWiS4pJ3tvRfksLYf4lZbGra6Juf9LoovyHesQjinRf9sOKLZEVbpHm
umEQ7yv7mUWoGULijdMpM1ZlY52S7oHONwo0tLx2TOEJl01jbdUh5GWf418nfGbn
gZLM3spPd4+hKae8y8BKg7fvR/xOgjF7px/iU3ifl3lp7OLdj7Ib9BOyp8m6PI9J
wcofecyMsQ6hZlPArr246R5ICUGdrA2gYN7t4432cTSxB6Omnjtxz2ALdEoi7V5z
z9I2HNkGLXn/L4VqF+R4
=eZjO
-----END PGP SIGNATURE-----

Message #29 received at 797895@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: Alessandro Ghedini <ghedo@debian.org>, 797895@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Sat, 05 Sep 2015 12:55:43 +0100

[Message part 1 (text/plain, inline)]

On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> Source: libvdpau
> Severity: important
> Tags: security, fixed-upstream
> 
> Hi,
> 
> the following vulnerabilities were published for libvdpau.
> 
> CVE-2015-5198[0]:
> incorrect check for security transition
> 
> CVE-2015-5199[1]:
> directory traversal in dlopen
> 
> CVE-2015-5200[2]:
> vulnerability in trace functionality
> 
> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> release.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2015-5198
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> [1] https://security-tracker.debian.org/tracker/CVE-2015-5199
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> [2] https://security-tracker.debian.org/tracker/CVE-2015-5200
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> [3] http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4

Dear Alessandro and dear Security Team,

I have backported the upstream patch for the aforementioned CVEs to
jessie, wheezy and squeeze. I have attached the debdiffs for review.

I have verified they all build in amd64 and i386 chroots.

I have verified that the jessie and wheezy amd64 packages work using
"vdpauinfo".

Due to the need of a bare-metal installation (direct access to Nvidia
GPU is required), I have _NOT_ tested other architecture for jessie and
wheezy, and I have _NOT_ tested the squeeze build at all, because I do
not possess hardware capable of running with squeeze drivers, but given
the fact that it's the same upstream version as the wheezy build I am
reasonably confident it should work.

Two questions for you:

1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
should I go through the proposed-updates route and ping the release team
instead?
2) If the answer to 1) is yes, does this apply to squeeze as well or
should I work with debian-lts team instead?

Thank you!

Kind regards,
Luca Boccassi

[jessie.debdiff (text/x-patch, attachment)]

[wheezy.debdiff (text/x-patch, attachment)]

[squeeze.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 797895@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: Luca Boccassi <luca.boccassi@gmail.com>

Cc: 797895@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Sat, 5 Sep 2015 15:10:06 +0200

[Message part 1 (text/plain, inline)]

On Sat, Sep 05, 2015 at 12:55:43PM +0100, Luca Boccassi wrote:
> On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> > Source: libvdpau
> > Severity: important
> > Tags: security, fixed-upstream
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for libvdpau.
> > 
> > CVE-2015-5198[0]:
> > incorrect check for security transition
> > 
> > CVE-2015-5199[1]:
> > directory traversal in dlopen
> > 
> > CVE-2015-5200[2]:
> > vulnerability in trace functionality
> > 
> > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> > release.
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2015-5198
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198
> > [1] https://security-tracker.debian.org/tracker/CVE-2015-5199
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199
> > [2] https://security-tracker.debian.org/tracker/CVE-2015-5200
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200
> > [3] http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4
> 
> Dear Alessandro and dear Security Team,
> 
> I have backported the upstream patch for the aforementioned CVEs to
> jessie, wheezy and squeeze. I have attached the debdiffs for review.
> 
> I have verified they all build in amd64 and i386 chroots.
> 
> I have verified that the jessie and wheezy amd64 packages work using
> "vdpauinfo".
> 
> Due to the need of a bare-metal installation (direct access to Nvidia
> GPU is required), I have _NOT_ tested other architecture for jessie and
> wheezy, and I have _NOT_ tested the squeeze build at all, because I do
> not possess hardware capable of running with squeeze drivers, but given
> the fact that it's the same upstream version as the wheezy build I am
> reasonably confident it should work.
> 
> Two questions for you:
> 
> 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or
> should I go through the proposed-updates route and ping the release team
> instead?

Yeah, we intend to release a DSA for this. The jessie and wheezy diffs look
good, so please go ahead and upload them to security-master. Note that they
both need to be built with the -sa dpkg-buildpackage flag, since these would
be the first jessie and wheezy security uploads for the package.

> 2) If the answer to 1) is yes, does this apply to squeeze as well or
> should I work with debian-lts team instead?

Yeah, you need to contact the LTS people for squeeze.

Thanks for your help.

Cheers

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 797895@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: Vincent Cheng <vcheng@debian.org>

Cc: Alessandro Ghedini <ghedo@debian.org>, 797895@bugs.debian.org

Subject: Re: Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Sat, 05 Sep 2015 15:00:15 +0100

[Message part 1 (text/plain, inline)]

On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote:
> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi@gmail.com> wrote:
> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
> >> Source: libvdpau
> >> Severity: important
> >> Tags: security, fixed-upstream
> >>
> >> Hi,
> >>
> >> the following vulnerabilities were published for libvdpau.
> >>
> >> CVE-2015-5198[0]:
> >> incorrect check for security transition
> >>
> >> CVE-2015-5199[1]:
> >> directory traversal in dlopen
> >>
> >> CVE-2015-5200[2]:
> >> vulnerability in trace functionality
> >>
> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
> >> release.
> >>
> >> If you fix the vulnerabilities please also make sure to include the
> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> >
> > Hello Alessandro,
> >
> > Thanks for the heads-up!
> >
> > Vincent, Andreas,
> >
> > I have updated the libvdpau git repo with the new release [1]. I have
> > tested the amd64 and i386 packages in Jessie, and they seem to work just
> > fine with vdpauinfo and VLC.
> >
> > Could you please review and do a new upload, when you have time?
> >
> > Thanks!
> >
> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
> 
> Uploaded, thanks! I'll make a note to myself to update the package in
> jessie-backports as well. Luca, let me know if you need a sponsor for
> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
> don't know if these CVEs warrant a DSA, so ping the security team
> first with a source debdiff and see what they say, and if they say no
> then ping the release team instead); thanks for taking care of updates
> for stable/oldstable/oldoldstable!

Hello Vincent,

Thanks for uploading 1.1.1!

I have pushed to the git repo the backported changes for jessie [1] and
wheezy [2]. Alessandro confirmed that the Security Team would like to
release a DSA for this [3], so could you please sponsor the upload to
security-master when you have time? I added you to the Uploaders in the
wheezy branch already.

Thanks!

Kind regards,
Luca Boccassi

[1] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=jessie-security
[2] https://anonscm.debian.org/cgit/pkg-nvidia/libvdpau.git/log/?h=wheezy-security
[3] http://lists.alioth.debian.org/pipermail/pkg-nvidia-devel/2015-September/011509.html

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 797895@bugs.debian.org (full text, mbox, reply):

From: Vincent Cheng <vcheng@debian.org>

To: Luca Boccassi <luca.boccassi@gmail.com>

Cc: Alessandro Ghedini <ghedo@debian.org>, 797895@bugs.debian.org

Subject: Re: Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Sun, 6 Sep 2015 22:01:32 -0700

On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassi <luca.boccassi@gmail.com> wrote:
> On Thu, 2015-09-03 at 22:40 -0700, Vincent Cheng wrote:
>> On Thu, Sep 3, 2015 at 5:24 PM, Luca Boccassi <luca.boccassi@gmail.com> wrote:
>> > On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote:
>> >> Source: libvdpau
>> >> Severity: important
>> >> Tags: security, fixed-upstream
>> >>
>> >> Hi,
>> >>
>> >> the following vulnerabilities were published for libvdpau.
>> >>
>> >> CVE-2015-5198[0]:
>> >> incorrect check for security transition
>> >>
>> >> CVE-2015-5199[1]:
>> >> directory traversal in dlopen
>> >>
>> >> CVE-2015-5200[2]:
>> >> vulnerability in trace functionality
>> >>
>> >> All of them are fixed by the patch [3], shipped in the 1.1.1 upstream
>> >> release.
>> >>
>> >> If you fix the vulnerabilities please also make sure to include the
>> >> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>> >
>> > Hello Alessandro,
>> >
>> > Thanks for the heads-up!
>> >
>> > Vincent, Andreas,
>> >
>> > I have updated the libvdpau git repo with the new release [1]. I have
>> > tested the amd64 and i386 packages in Jessie, and they seem to work just
>> > fine with vdpauinfo and VLC.
>> >
>> > Could you please review and do a new upload, when you have time?
>> >
>> > Thanks!
>> >
>> > Tomorrow I'll look into backporting the fix to Wheezy and Squeeze.
>>
>> Uploaded, thanks! I'll make a note to myself to update the package in
>> jessie-backports as well. Luca, let me know if you need a sponsor for
>> the wheezy-pu/jessie-pu or wheezy-security/jessie-security uploads (I
>> don't know if these CVEs warrant a DSA, so ping the security team
>> first with a source debdiff and see what they say, and if they say no
>> then ping the release team instead); thanks for taking care of updates
>> for stable/oldstable/oldoldstable!
>
> Hello Vincent,
>
> Thanks for uploading 1.1.1!
>
> I have pushed to the git repo the backported changes for jessie [1] and
> wheezy [2]. Alessandro confirmed that the Security Team would like to
> release a DSA for this [3], so could you please sponsor the upload to
> security-master when you have time? I added you to the Uploaders in the
> wheezy branch already.

Uploaded to security-master, thanks for preparing these updated
packages! It's worth pointing out that adding yourself to uploaders in
d/control isn't necessary for security uploads, although I suppose it
doesn't actually make any difference either way.

I'll take a look at the squeeze-lts update next.

Regards,
Vincent

Message #49 received at 797895-close@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: 797895-close@bugs.debian.org

Subject: Bug#797895: fixed in libvdpau 0.4.1-2+deb6u1

Date: Mon, 07 Sep 2015 05:35:02 +0000

Source: libvdpau
Source-Version: 0.4.1-2+deb6u1

We believe that the bug you reported is fixed in the latest version of
libvdpau, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Boccassi <luca.boccassi@gmail.com> (supplier of updated libvdpau package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 05 Sep 2015 01:41:37 +0100
Source: libvdpau
Binary: libvdpau-dev libvdpau1 lib32vdpau1 libvdpau-doc
Architecture: source all amd64
Version: 0.4.1-2+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Changed-By: Luca Boccassi <luca.boccassi@gmail.com>
Description: 
 lib32vdpau1 - Video Decode and Presentation API for Unix (32-bit libraries)
 libvdpau-dev - Video Decode and Presentation API for Unix (development files)
 libvdpau-doc - Video Decode and Presentation API for Unix (documentation)
 libvdpau1  - Video Decode and Presentation API for Unix (libraries)
Closes: 797895
Changes: 
 libvdpau (0.4.1-2+deb6u1) squeeze-lts; urgency=high
 .
   * Patch for CVE 2015-5198, 2015-5199, 2015-5200
     - Use secure_getenv(3) to improve security
       (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
   * Add myself and Vincent Cheng to Uploaders
Checksums-Sha1: 
 05037590352c3f80f4b4d11ad4942c3f1b37a9ab 2307 libvdpau_0.4.1-2+deb6u1.dsc
 f20bd2ff5e2079012abc73e450a655a8f6dd9198 453802 libvdpau_0.4.1.orig.tar.gz
 d8231ed93602e6ef62ca69bdbd700b63d9a9d414 13009 libvdpau_0.4.1-2+deb6u1.debian.tar.gz
 94d07a97251f099006ccf689aec3bf1a4126d706 44634 libvdpau-dev_0.4.1-2+deb6u1_all.deb
 0693b44acb0a2350fbebe71239cd72867d31b812 427824 libvdpau-doc_0.4.1-2+deb6u1_all.deb
 d5548053c9e104f1c750cf63376c69e945a4e4a3 32672 libvdpau1_0.4.1-2+deb6u1_amd64.deb
 8319a942bb42b64b252758092f017f4ecae989ca 28072 lib32vdpau1_0.4.1-2+deb6u1_amd64.deb
Checksums-Sha256: 
 b6f6e525a37baf02796b58c4d81932fc30f6af937d68d1fed1452780f74fa1a0 2307 libvdpau_0.4.1-2+deb6u1.dsc
 3bc5c4acff5eadeb3377225d6cab0e2f99a1bcfe5dfe82056db03c4d20aada22 453802 libvdpau_0.4.1.orig.tar.gz
 9db4a551465a166fcc12f8733d532b9ca79c352b30fea5e60002b1ff42f540e4 13009 libvdpau_0.4.1-2+deb6u1.debian.tar.gz
 704e7e3e32373dfaa281a26c354da42c28a5ffa300b774a0b35cd374fde87289 44634 libvdpau-dev_0.4.1-2+deb6u1_all.deb
 082728ef93446d8504963fe42fecfb228fafcfd04a9e95fb63e110850edc4160 427824 libvdpau-doc_0.4.1-2+deb6u1_all.deb
 75c423b75bb0aa6177253f04597ec1ad92264a3a78fb89ed1f0f3424e9741fa8 32672 libvdpau1_0.4.1-2+deb6u1_amd64.deb
 b5ec5951b1ceb03cbe2b796c1bf1d22705988941cee800d5c29162c6536b4a96 28072 lib32vdpau1_0.4.1-2+deb6u1_amd64.deb
Files: 
 8b1552e4c0caa5b6572859ea54a8df28 2307 libs optional libvdpau_0.4.1-2+deb6u1.dsc
 106379a6de5f631c114ea73d2c532c57 453802 libs optional libvdpau_0.4.1.orig.tar.gz
 a7b0bceef4cbeaf268b57ff00817ce7d 13009 libs optional libvdpau_0.4.1-2+deb6u1.debian.tar.gz
 7154baafd75ba8b28d368b82a1eb5245 44634 libdevel optional libvdpau-dev_0.4.1-2+deb6u1_all.deb
 31d8c733dd024f359eecbcd37f304a23 427824 doc optional libvdpau-doc_0.4.1-2+deb6u1_all.deb
 aff56d88c94c9d01bac55284517ef015 32672 libs optional libvdpau1_0.4.1-2+deb6u1_amd64.deb
 d0e686f37f9398413f8bcd9b85b89b6f 28072 libs optional lib32vdpau1_0.4.1-2+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV7R5mAAoJEI7tzBuqHzL/KhEP/0aU7HqQ2x1RN7lqgQZSwKsQ
99K9vqna8NIK0E+7NLbTBB3jTBh4xFgQeByou/oZBIXCs6/JPs/uli/tZnDFxxZ1
tYhCBSQunEXUoQ6S1xQ2OdZ8e+xBOs6qbuCjWfA+JK4IxI17tM5GxmN/Xs2s1ImG
nYQjHeg6epRYYH/bjHONmZi/KHf+DITbGkUn8SZKe3cVmWpVwhEWtXOQHy+eYyDV
E2SzgxgXjowIpQPdaiNSzE6x7gcclc3pLS9mDSpGoNLrevbA7KWIWsb8s3M98v/f
8fqmGnR6e4/UFCexYuvFxZMVPZIfkYj7NcHCvRGPzxImMSWLR7WT168CDaO3AGAA
pyldyzmHyoqY5vcc128cHFwHBatRBYPJs7OxdmvCiqPMK7ocJxcDIijZA1gnyRCE
Lko7lvITa6LO15vWncjkxQVIxTIrCE0CQQag/HrlvpUU1l6tOAIvFvDyo/hVu3/r
Ken/y8sG/bgR6Ah7DWeQJivDOi8r4qwb25WIRaCRhNhVqLG2CZsp16qx9m4T0qVg
XTycwFwJulIM+gOgfeAH5h9+i3jrrZOZx8+F82n6Pc7mI3ryP07obSp2jTnJ4EqJ
0h5PeHJjIvr3V6H/Rxf3s6rTG34pm8k9bd/QqqAsqU77eWQ66Lv95D6hViN4VQHp
p8youGThjbNraFJfJ0T9
=72Vv
-----END PGP SIGNATURE-----

Message #54 received at 797895@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: Vincent Cheng <vcheng@debian.org>

Cc: Alessandro Ghedini <ghedo@debian.org>, 797895@bugs.debian.org

Subject: Re: Bug#797895: libvdpau: CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

Date: Mon, 7 Sep 2015 09:50:48 +0100

[Message part 1 (text/plain, inline)]

On Sep 7, 2015 06:01, "Vincent Cheng" <vcheng@debian.org> wrote:
> On Sat, Sep 5, 2015 at 7:00 AM, Luca Boccassi <luca.boccassi@gmail.com> >
> I have pushed to the git repo the backported changes for jessie [1] and
> > wheezy [2]. Alessandro confirmed that the Security Team would like to
> > release a DSA for this [3], so could you please sponsor the upload to
> > security-master when you have time? I added you to the Uploaders in the
> > wheezy branch already.
>
> Uploaded to security-master, thanks for preparing these updated
> packages! It's worth pointing out that adding yourself to uploaders in
> d/control isn't necessary for security uploads, although I suppose it
> doesn't actually make any difference either way.
>
> I'll take a look at the squeeze-lts update next.

Ah sorry, didn't know about the uploaders field, I thought it was like
normal uploads in that regards.

Thanks for taking care of it!

Kind regards,
Luca Boccassi

[Message part 2 (text/html, inline)]

Message #61 received at 797895-close@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: 797895-close@bugs.debian.org

Subject: Bug#797895: fixed in libvdpau 0.8-3+deb8u1

Date: Sat, 12 Sep 2015 21:17:06 +0000

Source: libvdpau
Source-Version: 0.8-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
libvdpau, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Boccassi <luca.boccassi@gmail.com> (supplier of updated libvdpau package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 04 Sep 2015 23:23:40 +0100
Source: libvdpau
Binary: libvdpau-dev libvdpau1 libvdpau-doc libvdpau1-dbg
Architecture: source all amd64
Version: 0.8-3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Changed-By: Luca Boccassi <luca.boccassi@gmail.com>
Description:
 libvdpau-dev - Video Decode and Presentation API for Unix (development files)
 libvdpau-doc - Video Decode and Presentation API for Unix (documentation)
 libvdpau1  - Video Decode and Presentation API for Unix (libraries)
 libvdpau1-dbg - Video Decode and Presentation API for Unix (debug symbols)
Closes: 797895
Changes:
 libvdpau (0.8-3+deb8u1) jessie-security; urgency=high
 .
   * Patch for CVE 2015-5198, 2015-5199, 2015-5200
     - Use secure_getenv(3) to improve security
       (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
   * Add myself to Uploaders
Checksums-Sha1:
 c37745e1bc4bd40522bfc7ea4b93b4f85d251690 2398 libvdpau_0.8-3+deb8u1.dsc
 5618c2708cfa4c55e1c7acf74e5220a0acda4ea4 407268 libvdpau_0.8.orig.tar.bz2
 eb65c53ae79ce2161f94f23fc1c8ca9b2a284700 11556 libvdpau_0.8-3+deb8u1.debian.tar.xz
 5a0df1a141c2936f490f282a21a56644d2316e10 355716 libvdpau-doc_0.8-3+deb8u1_all.deb
 b5eec16d6be5deaaf93c9aff3b34d07a4b0eacde 43700 libvdpau-dev_0.8-3+deb8u1_amd64.deb
 c75cf53ae2a34911669f360f872e6c577054e732 33486 libvdpau1_0.8-3+deb8u1_amd64.deb
 0e70e0759fd41a1cafaca70e209f5ae7ba8ce75b 82800 libvdpau1-dbg_0.8-3+deb8u1_amd64.deb
Checksums-Sha256:
 844167487d83838545c8363bab2d87994a33b844036a7843036da49e9d9f0da1 2398 libvdpau_0.8-3+deb8u1.dsc
 7e7054af2dcda4dc06d5d845b59ec7d30481c5040553ac047bb83f1935aeb1b2 407268 libvdpau_0.8.orig.tar.bz2
 e9a54381ec63c2b93a989542813e2dc1314d757f64f4dc0bffe0b19ad1b7905a 11556 libvdpau_0.8-3+deb8u1.debian.tar.xz
 19014b14ab8a2a65b74fe04bdbec00dcb33bc64703064bd36458924a67c647a7 355716 libvdpau-doc_0.8-3+deb8u1_all.deb
 3e7ab9c7924a3db6ecf5bb4365301cc8f031d53e15381fc1dff52588e9ffc720 43700 libvdpau-dev_0.8-3+deb8u1_amd64.deb
 8f8eaf3366537cbee463a613fb31015d4c39c091b855e87d2b2cdab896a44531 33486 libvdpau1_0.8-3+deb8u1_amd64.deb
 b8ff352361d7ef6255fff3cff94d3e60096fe83f67254c3aaf48bd25feda3bae 82800 libvdpau1-dbg_0.8-3+deb8u1_amd64.deb
Files:
 47b3b4ce1c7cee64f04e8fba7e3730c3 2398 libs optional libvdpau_0.8-3+deb8u1.dsc
 cf734e9de0b7569ce9bc3506bd2aebcc 407268 libs optional libvdpau_0.8.orig.tar.bz2
 0b65a6f3b2724ca1eede380a6d0cff74 11556 libs optional libvdpau_0.8-3+deb8u1.debian.tar.xz
 a476db085e68cd1e2ece8fbe247fe7fe 355716 doc optional libvdpau-doc_0.8-3+deb8u1_all.deb
 c9a9ed07244666f95573d479b75fcf97 43700 libdevel optional libvdpau-dev_0.8-3+deb8u1_amd64.deb
 cb2da19f426e414746b8798e899fa93a 33486 libs optional libvdpau1_0.8-3+deb8u1_amd64.deb
 19f8daecb4a478f67a6748c9850d1208 82800 debug extra libvdpau1-dbg_0.8-3+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV7RYSAAoJEI7tzBuqHzL/h+MQAMJFm+jENpLa59X2n7A1lYUe
TYQemIPo0HdB46ikk23SvAVjqfdTeVf+6FLnHBHkBMYmLRJJv0ZPuFWv07ETKIHM
DzLONG0uIWnVMZXnEeTHQskpVU4tgheL2gSN5CoMrxX/4PTaQyGV0mK3BywXLzFw
ztgDwL8YaTH+IVitj9mm1EGhl7on+alY8BBjQyQmlOzLAmYjz6sIvWnUdegzblWW
HezPfeNJoCtDbv/6mQlUu2yDFAmPBJLOn7V3NmIYUv/uZrzTBxKEpw1G45OZbg/l
ZhRfU4esUAWjRGGzU9Ikhp4RxDv2jzuHQwUo+22LX/cxQiFHif5w40GjQnB9zVf5
tUl9q0XWC7d6Slp6RiXeb/NFwe3U1NssFRPs19d21vr+VLU7EFnbJNMlp37uEBE4
K5XTNe33OX5XEInrw8V5xz1Q8A/Wq/JWH513XJdpJYDG7ofRq1RahR48xKEwxRoe
NkARukjnSvGoGGVm0EUzhCgZbign1lPn29UzIOi/f3vEpd8k3kS8jyM22lg/jPDe
vNN+YUZz0xMiJR23SK2JRnp/bCW5a8kWmOVI2zrNeXv6yzAtB1HLOuurSEi12r2d
jkelPJzpWwmTBLi24xeNMc2UCjxIoOqQYvU5N52dBiOs6FEIll3160vUiUxOSf7k
xJXSXAo9oL0w+mp/o/LM
=xdWL
-----END PGP SIGNATURE-----

Message #66 received at 797895-close@bugs.debian.org (full text, mbox, reply):

From: Luca Boccassi <luca.boccassi@gmail.com>

To: 797895-close@bugs.debian.org

Subject: Bug#797895: fixed in libvdpau 0.4.1-7+deb7u1

Date: Sat, 12 Sep 2015 21:17:48 +0000

Source: libvdpau
Source-Version: 0.4.1-7+deb7u1

We believe that the bug you reported is fixed in the latest version of
libvdpau, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Boccassi <luca.boccassi@gmail.com> (supplier of updated libvdpau package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 05 Sep 2015 01:12:01 +0100
Source: libvdpau
Binary: libvdpau-dev libvdpau1 libvdpau-doc
Architecture: source all amd64
Version: 0.4.1-7+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
Changed-By: Luca Boccassi <luca.boccassi@gmail.com>
Description: 
 libvdpau-dev - Video Decode and Presentation API for Unix (development files)
 libvdpau-doc - Video Decode and Presentation API for Unix (documentation)
 libvdpau1  - Video Decode and Presentation API for Unix (libraries)
Closes: 797895
Changes: 
 libvdpau (0.4.1-7+deb7u1) wheezy-security; urgency=high
 .
   * Patch for CVE 2015-5198, 2015-5199, 2015-5200
     - Use secure_getenv(3) to improve security
       (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
   * Add myself and Vincent Cheng to Uploaders
Checksums-Sha1: 
 6d7c440683a3a1bc1566f5e3704c0ca29b84f9b3 2382 libvdpau_0.4.1-7+deb7u1.dsc
 f20bd2ff5e2079012abc73e450a655a8f6dd9198 453802 libvdpau_0.4.1.orig.tar.gz
 bb23ea5f642cc86e1527221fb42bb1e687a0fad8 13094 libvdpau_0.4.1-7+deb7u1.debian.tar.gz
 8ebd6b901909ad3164713b980d5a17ae063080c6 448556 libvdpau-doc_0.4.1-7+deb7u1_all.deb
 ba8bc2a854099c00de19557e27340fb5671c7710 42092 libvdpau-dev_0.4.1-7+deb7u1_amd64.deb
 30218ea4825e37303e2a9f42c8bd1323892679c6 31736 libvdpau1_0.4.1-7+deb7u1_amd64.deb
Checksums-Sha256: 
 eaead26a2145f195862ca476d927bc1b1d18c2ba86076bb389b291c0c19fe922 2382 libvdpau_0.4.1-7+deb7u1.dsc
 3bc5c4acff5eadeb3377225d6cab0e2f99a1bcfe5dfe82056db03c4d20aada22 453802 libvdpau_0.4.1.orig.tar.gz
 8c33b86bfeb8cb35346a24493df76ca7c696c07b264b9a4309c4fcc53e1392b2 13094 libvdpau_0.4.1-7+deb7u1.debian.tar.gz
 b7bf3a552573924f962f2b77d891bef644a937e0c544ab5edc98c9c668b5d766 448556 libvdpau-doc_0.4.1-7+deb7u1_all.deb
 27807f517459175d2f1ee0707ce737069ea895460624e3d8f4e1a0d27648aeae 42092 libvdpau-dev_0.4.1-7+deb7u1_amd64.deb
 38c7ac169b2ce104df2615cffeeeafdd674b86207179944d526a7e277eea7cd7 31736 libvdpau1_0.4.1-7+deb7u1_amd64.deb
Files: 
 7b1d29b638c2b388e88ad20ca026394d 2382 libs optional libvdpau_0.4.1-7+deb7u1.dsc
 106379a6de5f631c114ea73d2c532c57 453802 libs optional libvdpau_0.4.1.orig.tar.gz
 437ec5b7c539f9fd6d1a10dd6b2d458c 13094 libs optional libvdpau_0.4.1-7+deb7u1.debian.tar.gz
 423d8f15bd145dd054329c148009c411 448556 doc optional libvdpau-doc_0.4.1-7+deb7u1_all.deb
 040bc1238455c8d29b34729dafce162d 42092 libdevel optional libvdpau-dev_0.4.1-7+deb7u1_amd64.deb
 21728b0b97c282a924159ff43fb94004 31736 libs optional libvdpau1_0.4.1-7+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV7Ri8AAoJEI7tzBuqHzL/7zsQAMtG6P7ICUDtJV3g9YuHQd9g
XqrgL0kQKZu0ONSjMXYzEa5ZIhqo2WTyk4xKg6l9vjuGz+Xa+mzifXdN+nAFaaS/
GLWOub6aXOeiKyQzzW8yJ8Nudg3qopqroQBIaZ2RZZkh0oqG2ZUIGvVaqetoTpri
ZXm/4LuRbibgGNXgLFQlkxt6s1Pur5HthR1i1j4qBD2aEz/XsWlxdQ+VOIGTFtG1
iITk7nornmPTC8q864J6ZgdYNe1NOb3sKu1o/DQaiU7V8gWIotMlwzqiK2F/lg1x
uN7I+Y0FVu6D9J8zPM84DtQdOzk7tNXno0La6ek2OhoZTL1Sv1MPRcpexnJ/urBS
KolBmB4k0O6ZPOrSkVBNiv+VTVo7M0thx3CiD7i+pq8g5ErzVdl8Vfma6WyJaxyt
KtVOgoFsr6DPhFPbiR65DwyKSVXgtonMfVWOGVb8gM0PpRtxmTx6di+AiEKiphtq
bOqrh8ANmOJZ64jiztnJYr4eFIgnd2lEENWpRau8e+dM8e9IcjWYgea08Ls1iNtm
eop9g5vwsh0MG/ORoDXY/EQlXkNRM2UWA6o3cxAqRiyL4DiFCOtfH/I8ykyCNORY
L1WkOWMNy1cRe4HiiICqgM07sVPhocKbx5sd45DOGxMyZ9teNpj78Njd0zfazePz
cyMaAgQQKNxfnVPRuv79
=Kziw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.