Hello community, here is the log from the commit of package libvdpau.3998 for openSUSE:13.2:Update checked in at 2015-09-11 08:30:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/libvdpau.3998 (Old) and /work/SRC/openSUSE:13.2:Update/.libvdpau.3998.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvdpau.3998" Changes: -------- New Changes file: --- /dev/null 2015-08-24 19:43:32.284261900 +0200 +++ /work/SRC/openSUSE:13.2:Update/.libvdpau.3998.new/libvdpau.changes 2015-09-11 08:30:26.000000000 +0200 @@ -0,0 +1,136 @@ +------------------------------------------------------------------- +Tue Sep 1 15:20:01 UTC 2015 - [email protected] + +- U_Use-secure_getenv-3-to-improve-security.patch + * VUL-0: CVE-2015-5198: libvdpau: incorrect check for security + transition (bnc#943967) + * VUL-0: CVE-2015-5199: libvdpau: directory traversal in dlopen + (bnc#943968) + * VUL-0: CVE-2015-5200: libvdpau: vulnerability in trace + functionality (bnc#943969) + +------------------------------------------------------------------- +Wed Jul 2 07:49:16 UTC 2014 - [email protected] + +- Update to v0.8 + * This release fixes an incorrect type for VdpPictureInfo and + adds an environment variable, VDPAU_DRIVER_PATH, which can be + used to override the default search path that the library uses + to find its backend driver libraries. + +------------------------------------------------------------------- +Sun Oct 27 09:25:25 UTC 2013 - [email protected] + +- update to vdpauinfo 0.1 + * This release fixes a problem where ranges were queried for + mixer parameters and attributes where ranges were not allowed. + +------------------------------------------------------------------- +Mon Mar 25 12:12:33 UTC 2013 - [email protected] + +- Drop libvdpau-alway-workaround-libflash.patch: while this + fixes flash plugin, it breaks all the other apps. (bnc#811360) + +------------------------------------------------------------------- +Sun Feb 3 15:08:19 UTC 2013 - [email protected] + +- Update to v0.6 + * Make use of dri2proto_CFLAGS when building. + * Fix leaked extension info on library unload + * Use AC_CONFIG_HEADERS instead of AM_CONFIG_HEADER to appease + automake 1.13 + +------------------------------------------------------------------- +Wed Sep 5 15:58:42 UTC 2012 - [email protected] + +- Update to v0.5 + * vdpau_wrapper.c: Track dynamic library handles and free them + on exit + * Implement workarounds for Adobe Flash bugs +- Add libvdpau-alway-workaround-libflash.patch: always enable + Flash workarounds and not depend on kernel command line. Users + can disable this in the /etc/vdpau_wrapper.cfg file. + +------------------------------------------------------------------- +Tue Jun 26 12:34:44 UTC 2012 - [email protected] + +- back to building the HTML documentation (instead of prebuilding + and then extracting it during the build), but this time without + requiring texlive, since pdftex apparently isn't used for this + purpose anyway (libvdpau-nopdftex.patch) + +------------------------------------------------------------------- +Mon Jun 25 13:23:52 UTC 2012 - [email protected] + +- do not build the documentation but package a prebuilt tar of it + to avoid huge build cycle + +------------------------------------------------------------------- +Mon Aug 29 14:47:54 UTC 2011 - [email protected] + +- fixes the build in a more correct way :-) Hopefully! + +------------------------------------------------------------------- +Mon Aug 29 12:19:11 UTC 2011 - [email protected] + +- vdpau needs an explicit "-lX11" with latest toolchain + +------------------------------------------------------------------- +Wed Sep 22 07:19:14 UTC 2010 - [email protected] + +- fix baselibs.conf + +------------------------------------------------------------------- +Wed Sep 8 17:21:29 UTC 2010 - [email protected] + +- libvdpau 0.4.1 + This minor update just changes a few small, but important, + documentation details. + * vdpau.h: Clarify video mixer field amount recommendation + * vpdau.h: Fix typo and clarify wording. + * More doc issues pointed out by Xine authors. + +------------------------------------------------------------------- +Fri Jun 18 22:10:29 CEST 2010 - [email protected] + +- renamed rpmlintrc to libvdpau-rpmlintrc +- added libvdpau-rpmlintrc as source to specfile + +------------------------------------------------------------------- +Fri Jun 4 20:41:37 CEST 2010 - [email protected] + +- fixed baselibs.conf (packages have been renamed) + +------------------------------------------------------------------- +Sat Apr 24 12:59:42 CEST 2010 - [email protected] + +- fixed libvdpau_trace1 package description +- added README for tracing VDPAU function calls + +------------------------------------------------------------------- +Sat Apr 24 10:37:30 CEST 2010 - [email protected] + +- added Wladimir J. van der Laan's vdpinfo tool, a command line + utility for querying the capabilities of a VDPAU device. + +------------------------------------------------------------------- +Thu Apr 22 22:34:09 UTC 2010 - [email protected] + +- put libvdpau_trace into it's own package + +------------------------------------------------------------------- +Thu Apr 22 18:11:59 UTC 2010 - [email protected] + +- follow Shared Library Packaging Policy +- obsolete packman vdpau packages for proper update + +------------------------------------------------------------------- +Thu Apr 22 02:33:32 CEST 2010 - [email protected] + +- also build and package documentation + +------------------------------------------------------------------- +Wed Apr 21 12:00:38 CEST 2010 - [email protected] + +- created package (bnc #596481) + New: ---- README U_Use-secure_getenv-3-to-improve-security.patch baselibs.conf libvdpau-0.8.tar.bz2 libvdpau-nopdftex.patch libvdpau-rpmlintrc libvdpau.changes libvdpau.spec vdpauinfo-0.1.tar.gz vdpauinfo-missing-lX11.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvdpau.spec ++++++ # # spec file for package libvdpau # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libvdpau Version: 0.8 Release: 0 Summary: VDPAU wrapper and trace libraries License: MIT Group: System/Libraries Url: http://people.freedesktop.org/~aplattner Source: http://people.freedesktop.org/~aplattner/vdpau/%{name}-%{version}.tar.bz2 Source1: vdpauinfo-0.1.tar.gz Source2: README Source99: baselibs.conf Source100: %{name}-rpmlintrc Patch: vdpauinfo-missing-lX11.diff Patch1: libvdpau-nopdftex.patch Patch2: U_Use-secure_getenv-3-to-improve-security.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: doxygen BuildRequires: gcc-c++ BuildRequires: graphviz BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xext) BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package contains the libvdpau wrapper library and the libvdpau_trace debugging library, along with the header files needed to build VDPAU applications. To actually use a VDPAU device, you need a vendor-specific implementation library. Currently, this is always libvdpau_nvidia. You can override the driver name by setting the VDPAU_DRIVER environment variable. %package -n libvdpau1 Summary: VDPAU wrapper library Group: System/Libraries Provides: libvdpau = %{version}-%{release} Obsoletes: libvdpau < %{version}-%{release} %description -n libvdpau1 This package contains the libvdpau wrapper library and the libvdpau_trace debugging library, along with the header files needed to build VDPAU applications. To actually use a VDPAU device, you need a vendor-specific implementation library. Currently, this is always libvdpau_nvidia. You can override the driver name by setting the VDPAU_DRIVER environment variable. %package -n libvdpau-devel Summary: VDPAU wrapper development files Group: Development/Libraries/X11 Requires: libvdpau1 = %{version} %description -n libvdpau-devel Note that this package only contains the VDPAU headers that are required to build applications. At runtime, the shared libraries are needed too and may be installed using the proprietary nVidia driver packages. %package -n libvdpau_trace1 Summary: VDPAU trace library Group: Development/Libraries/X11 Requires: libvdpau1 = %{version} Provides: libvdpau_trace = %{version}-%{release} Obsoletes: libvdpau_trace < %{version}-%{release} %description -n libvdpau_trace1 This package provides the library for tracing VDPAU function calls. Its usage is documented in the README. %prep %setup -q -b1 %patch1 -p0 %patch2 -p1 pushd ../vdpauinfo-* %patch -p0 popd %build autoreconf -fi %configure make %{?_smp_mflags} %install %makeinstall rm %{buildroot}%{_libdir}/libvdpau.la rm %{buildroot}%{_libdir}/vdpau/libvdpau_trace.la /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_libdir}/vdpau rm %{buildroot}%{_libdir}/vdpau/libvdpau_trace.so pushd ../vdpauinfo-* %configure \ VDPAU_CFLAGS=-I$RPM_BUILD_ROOT/usr/include \ VDPAU_LIBS="-L$RPM_BUILD_ROOT/%{_libdir} -lvdpau -lX11" make %{?_smp_mflags} %makeinstall popd cp $RPM_SOURCE_DIR/README . %post -n libvdpau1 -p /sbin/ldconfig %postun -n libvdpau1 -p /sbin/ldconfig %files -n libvdpau1 %defattr(-,root,root) %dir %{_libdir}/vdpau /usr/bin/vdpauinfo %{_libdir}/libvdpau.so.* %config /etc/vdpau_wrapper.cfg %files -n libvdpau-devel %defattr(-,root,root) %doc %{_datadir}/doc/%{name} %dir %{_libdir}/vdpau %{_includedir}/vdpau %{_libdir}/libvdpau.so %{_libdir}/pkgconfig/vdpau.pc %files -n libvdpau_trace1 %defattr(-,root,root) %doc README %{_libdir}/vdpau/libvdpau_trace.so.* %changelog ++++++ README ++++++ DEBUGGING AND TRACING The VDPAU wrapper library supports tracing VDPAU function calls, and their parameters. This tracing is controlled by the following environment variables: VDPAU_TRACE Enables tracing. Set to 1 to trace function calls. Set to 2 to trace all arguments passed to the function. VDPAU_TRACE_FILE Filename to write traces to. By default, traces are sent to stderr. This variable may either contain a plain filename, or a reference to an existing open file-descriptor in the format "&N" where N is the file descriptor number. The VDPAU wrapper library is responsible for determining which vendor-specific driver to load for a given X11 display/screen. At present, it hard-codes "nvidia" as the driver. The environment variable VDPAU_DRIVER may be set to override this default. The actual library loaded will be libvdpau_${VDPAU_DRIVER}.so. Setting VDPAU_DRIVER to "trace" is not advised. ++++++ U_Use-secure_getenv-3-to-improve-security.patch ++++++ >From d1f9c16b1a8187110e501c9116d21ffee25c0ba4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Hiram=20Soltren?= <[email protected]> Date: Mon, 17 Aug 2015 16:01:44 -0500 Subject: [PATCH] Use secure_getenv(3) to improve security This patch is in response to the following security vulnerabilities (CVEs) reported to NVIDIA against libvdpau: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 To address these CVEs, this patch: - replaces all uses of getenv(3) with secure_getenv(3); - uses secure_getenv(3) when available, with a fallback option; - protects VDPAU_DRIVER against directory traversal by checking for '/' On platforms where secure_getenv(3) is not available, the C preprocessor will print a warning at compile time. Then, a preprocessor macro will replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check: getuid() == geteuid() && getgid() == getegid() See getuid(2) and getgid(2) for further details. Signed-off-by: Aaron Plattner <[email protected]> Reviewed-by: Florian Weimer <[email protected]> --- configure.ac | 4 ++++ src/Makefile.am | 1 + src/mesa_dri2.c | 6 ++++-- src/util.h | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ src/vdpau_wrapper.c | 28 ++++++++++++++++------------ trace/vdpau_trace.cpp | 8 +++++--- 6 files changed, 78 insertions(+), 17 deletions(-) create mode 100644 src/util.h Index: libvdpau-0.8/configure.ac =================================================================== --- libvdpau-0.8.orig/configure.ac +++ libvdpau-0.8/configure.ac @@ -6,6 +6,10 @@ AM_MAINTAINER_MODE AC_CONFIG_HEADERS(config.h) +# Check for secure_getenv +AC_USE_SYSTEM_EXTENSIONS +AC_CHECK_FUNCS([__secure_getenv secure_getenv]) + # Disable static libraries by default. Use --enable-static if you really want # them. AC_DISABLE_STATIC Index: libvdpau-0.8/src/Makefile.am =================================================================== --- libvdpau-0.8.orig/src/Makefile.am +++ libvdpau-0.8/src/Makefile.am @@ -9,6 +9,7 @@ lib_LTLIBRARIES = libvdpau.la libvdpau_la_SOURCES = \ vdpau_wrapper.c \ + util.h \ $(DRI2_SOURCES) if DRI2 Index: libvdpau-0.8/src/mesa_dri2.c =================================================================== --- libvdpau-0.8.orig/src/mesa_dri2.c +++ libvdpau-0.8/src/mesa_dri2.c @@ -1,6 +1,6 @@ /* * Copyright © 2008 Red Hat, Inc. - * Copyright © 2010 NVIDIA Corporation + * Copyright © 2010-2015 NVIDIA Corporation * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the "Soft- @@ -30,6 +30,7 @@ * Authors: * Kristian Høgsberg ([email protected]) * Modified for VDPAU by Aaron Plattner ([email protected]) + * and José Hiram Soltren ([email protected]) */ @@ -39,6 +40,7 @@ #include <X11/extensions/extutil.h> #include <X11/extensions/dri2proto.h> #include "mesa_dri2.h" +#include "util.h" static char dri2ExtensionName[] = DRI2_NAME; static XExtensionInfo *dri2Info; @@ -130,7 +132,7 @@ _vdp_DRI2Connect(Display * dpy, XID wind req->driverType = DRI2DriverVDPAU; #ifdef DRI2DriverPrimeShift { - char *prime = getenv("DRI_PRIME"); + char *prime = secure_getenv("DRI_PRIME"); if (prime) { unsigned int primeid; errno = 0; Index: libvdpau-0.8/src/util.h =================================================================== --- /dev/null +++ libvdpau-0.8/src/util.h @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2015 NVIDIA Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include <unistd.h> +#include <stdlib.h> + +static char * getenv_wrapper(const char *name) +{ + if (getuid() == geteuid() && getgid() == getegid()) { + return getenv(name); + } + else { + return NULL; + } +} + +#ifndef HAVE_SECURE_GETENV +# ifdef HAVE___SECURE_GETENV +# define secure_getenv __secure_getenv +# else +# warning Neither secure_getenv nor __secure_getenv is available. +# define secure_getenv getenv_wrapper +# endif +#endif Index: libvdpau-0.8/src/vdpau_wrapper.c =================================================================== --- libvdpau-0.8.orig/src/vdpau_wrapper.c +++ libvdpau-0.8/src/vdpau_wrapper.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008-2009 NVIDIA, Corporation + * Copyright (c) 2008-2015 NVIDIA Corporation * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -36,6 +36,7 @@ #include "mesa_dri2.h" #include <X11/Xlib.h> #endif +#include "util.h" typedef void SetDllHandle( void * driver_dll_handle @@ -114,7 +115,12 @@ static VdpStatus _vdp_open_driver( char const * vdpau_trace; char const * func_name; - vdpau_driver = getenv("VDPAU_DRIVER"); + vdpau_driver = secure_getenv("VDPAU_DRIVER"); + if (vdpau_driver) { + if (strchr(vdpau_driver, '/')) { + vdpau_driver = NULL; + } + } if (!vdpau_driver) { vdpau_driver = vdpau_driver_dri2 = _vdp_get_driver_name_from_dri2(display, screen); @@ -123,15 +129,13 @@ static VdpStatus _vdp_open_driver( vdpau_driver = "nvidia"; } - if (geteuid() == getuid()) { - /* don't allow setuid apps to use VDPAU_DRIVER_PATH */ - vdpau_driver_path = getenv("VDPAU_DRIVER_PATH"); - if (vdpau_driver_path && - snprintf(vdpau_driver_lib, sizeof(vdpau_driver_lib), - DRIVER_LIB_FORMAT, vdpau_driver_path, vdpau_driver) < - sizeof(vdpau_driver_lib)) { - _vdp_driver_dll = dlopen(vdpau_driver_lib, RTLD_NOW | RTLD_GLOBAL); - } + /* Don't allow setuid apps to use VDPAU_DRIVER_PATH */ + vdpau_driver_path = secure_getenv("VDPAU_DRIVER_PATH"); + if (vdpau_driver_path && + snprintf(vdpau_driver_lib, sizeof(vdpau_driver_lib), + DRIVER_LIB_FORMAT, vdpau_driver_path, vdpau_driver) < + sizeof(vdpau_driver_lib)) { + _vdp_driver_dll = dlopen(vdpau_driver_lib, RTLD_NOW | RTLD_GLOBAL); } /* Fallback to VDPAU_MODULEDIR when VDPAU_DRIVER_PATH is not set, @@ -174,7 +178,7 @@ static VdpStatus _vdp_open_driver( _vdp_backend_dll = _vdp_driver_dll; - vdpau_trace = getenv("VDPAU_TRACE"); + vdpau_trace = secure_getenv("VDPAU_TRACE"); if (vdpau_trace && atoi(vdpau_trace)) { SetDllHandle * set_dll_handle; Index: libvdpau-0.8/trace/vdpau_trace.cpp =================================================================== --- libvdpau-0.8.orig/trace/vdpau_trace.cpp +++ libvdpau-0.8/trace/vdpau_trace.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008-2009 NVIDIA, Corporation + * Copyright (c) 2008-2015 NVIDIA Corporation * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -31,6 +31,8 @@ #include <string.h> #include <vdpau/vdpau_x11.h> +#include "../src/util.h" + #define _VDP_TRACE_ARSIZE(_x_) ((sizeof (_x_)) / (sizeof ((_x_)[0]))) #if DEBUG @@ -4558,13 +4560,13 @@ VdpStatus vdp_trace_device_create_x11( } else { _vdp_cap_data.level = 0; - char const * vdpau_trace = getenv("VDPAU_TRACE"); + char const * vdpau_trace = secure_getenv("VDPAU_TRACE"); if (vdpau_trace) { _vdp_cap_data.level = atoi(vdpau_trace); } _vdp_cap_data.fp = 0; - char const * vdpau_trace_file = getenv("VDPAU_TRACE_FILE"); + char const * vdpau_trace_file = secure_getenv("VDPAU_TRACE_FILE"); if (vdpau_trace_file && strlen(vdpau_trace_file)) { if (vdpau_trace_file[0] == '&') { int fd = atoi(&vdpau_trace_file[1]); ++++++ baselibs.conf ++++++ libvdpau1 libvdpau_trace1 libvdpau-devel requires -libvdpau-<targettype> requires "libvdpau1-<targettype> = <version>" requires "libvdpau_trace1-<targettype> = <version>" ++++++ libvdpau-nopdftex.patch ++++++ --- configure.ac.old 2012-06-26 14:21:28.000000000 +0200 +++ configure.ac 2012-06-26 14:22:30.000000000 +0200 @@ -48,11 +48,9 @@ AC_ARG_ENABLE(documentation, AS_HELP_STR if test "x$DOCS" != xno; then AC_CHECK_TOOL([DOXYGEN], [doxygen], [no]) AC_CHECK_TOOL([DOT], [dot], [no]) - AC_CHECK_TOOL([PDFTEX], [pdftex], [no]) else DOXYGEN=no DOT=no - PDFTEX=no fi if test "x$DOCS" = xyes; then if test "x$DOXYGEN" = xno; then @@ -61,11 +59,8 @@ if test "x$DOCS" = xyes; then if test "x$DOT" = xno; then AC_ERROR([Documentation enabled but dot was not found in your path. Please install graphviz]) fi - if test "x$PDFTEX" = xno; then - AC_ERROR([Documentation enabled but pdftex was not found in your path]) - fi fi -AM_CONDITIONAL([ENABLE_DOCS], [test "x$DOXYGEN" != xno -a "x$DOT" != xno -a "x$PDFTEX" != xno]) +AM_CONDITIONAL([ENABLE_DOCS], [test "x$DOXYGEN" != xno -a "x$DOT" != xno]) AC_SUBST(DOXYGEN) # Options ++++++ libvdpau-rpmlintrc ++++++ # dir isn't version, but it's contents is addFilter("shlib-policy-nonversioned-dir") addFilter("no-dependency-on") ++++++ vdpauinfo-missing-lX11.diff ++++++ --- configure.ac.orig 2011-08-29 16:31:04.069536000 +0200 +++ configure.ac 2011-08-29 16:31:31.424105000 +0200 @@ -8,7 +8,7 @@ PKG_CHECK_MODULES(VDPAU, x11 [vdpau >= 0.2]) VDPAUINFO_CXXFLAGS="$VDPAUINFO_CXXFLAGS $VDPAU_CFLAGS" -VDPAUINFO_LIBS="$VDPAUINFO_LIBS $VDPAU_LIBS" +VDPAUINFO_LIBS="$VDPAUINFO_LIBS $VDPAU_LIBS -lX11" AC_SUBST(VDPAUINFO_CXXFLAGS) AC_SUBST(VDPAUINFO_LIBS)
