[3.0] libvdpau: vulnerabilities in 1.1 and older when used with setuid or setgid applications (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200)
libvdpau versions 1.1 and earlier, when used in setuid or setgid
applications, contain vulnerabilities related to environment
variable handling that could allow an attacker to execute
arbitrary code or overwrite arbitrary files.
libvdpau incorrect check for security transition (CVE-2015-5198)
libvdpau directory traversal in dlopen (CVE-2015-5199)
libvdpau vulnerability in trace functionality (CVE-2015-5200)
References:
http://lists.x.org/archives/xorg-announce/2015-August/002630.html
Patch:
http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4
(from redmine: issue id 4823, created on 2015-11-03, closed on 2015-12-10)
- Relations:
- parent #4822 (closed)
- Changesets:
- Revision 58c92635 on 2015-12-03T13:34:13Z:
main/libvdpau: security fixes CVE-2015-5198, CVE-2015-5199, CVE-2015-5200. Fixes #4823