On Thu, 2015-09-03 at 14:49 +0200, Alessandro Ghedini wrote: > Source: libvdpau > Severity: important > Tags: security, fixed-upstream > > Hi, > > the following vulnerabilities were published for libvdpau. > > CVE-2015-5198[0]: > incorrect check for security transition > > CVE-2015-5199[1]: > directory traversal in dlopen > > CVE-2015-5200[2]: > vulnerability in trace functionality > > All of them are fixed by the patch [3], shipped in the 1.1.1 upstream > release. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2015-5198 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5198 > [1] https://security-tracker.debian.org/tracker/CVE-2015-5199 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5199 > [2] https://security-tracker.debian.org/tracker/CVE-2015-5200 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5200 > [3] > http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4
Dear Alessandro and dear Security Team, I have backported the upstream patch for the aforementioned CVEs to jessie, wheezy and squeeze. I have attached the debdiffs for review. I have verified they all build in amd64 and i386 chroots. I have verified that the jessie and wheezy amd64 packages work using "vdpauinfo". Due to the need of a bare-metal installation (direct access to Nvidia GPU is required), I have _NOT_ tested other architecture for jessie and wheezy, and I have _NOT_ tested the squeeze build at all, because I do not possess hardware capable of running with squeeze drivers, but given the fact that it's the same upstream version as the wheezy build I am reasonably confident it should work. Two questions for you: 1) Do these CVEs warrant a DSA and an upload to security.debian.org, or should I go through the proposed-updates route and ping the release team instead? 2) If the answer to 1) is yes, does this apply to squeeze as well or should I work with debian-lts team instead? Thank you! Kind regards, Luca Boccassi
diff -Nru libvdpau-0.8/debian/changelog libvdpau-0.8/debian/changelog
--- libvdpau-0.8/debian/changelog 2014-10-19 21:23:00.000000000 +0100
+++ libvdpau-0.8/debian/changelog 2015-09-05 11:34:04.000000000 +0100
@@ -1,3 +1,12 @@
+libvdpau (0.8-3+deb8u1) jessie-security; urgency=high
+
+ * Patch for CVE 2015-5198, 2015-5199, 2015-5200
+ - Use secure_getenv(3) to improve security
+ (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
+ * Add myself to Uploaders
+
+ -- Luca Boccassi <luca.bocca...@gmail.com> Fri, 04 Sep 2015 23:23:40 +0100
+
libvdpau (0.8-3) unstable; urgency=medium
* Add a bug-script to collect some driver information.
diff -Nru libvdpau-0.8/debian/control libvdpau-0.8/debian/control
--- libvdpau-0.8/debian/control 2014-10-19 21:23:00.000000000 +0100
+++ libvdpau-0.8/debian/control 2015-09-05 11:34:04.000000000 +0100
@@ -6,7 +6,8 @@
Jean-Yves Avenard <jyaven...@gmail.com>,
Russ Allbery <r...@debian.org>,
Andreas Beckmann <a...@debian.org>,
- Vincent Cheng <vch...@debian.org>
+ Vincent Cheng <vch...@debian.org>,
+ Luca Boccassi <luca.bocca...@gmail.com>
Build-Depends:
debhelper (>= 9),
dh-autoreconf,
diff -Nru libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch
--- libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvdpau-0.8/debian/patches/0007-Use-secure_getenv-3-to-improve-security.patch 2015-09-05 11:34:04.000000000 +0100
@@ -0,0 +1,256 @@
+From: José Hiram Soltren <jsolt...@nvidia.com>
+Date: Mon, 17 Aug 2015 16:01:44 -0500
+Subject: Use secure_getenv(3) to improve security
+
+This patch is in response to the following security vulnerabilities
+(CVEs) reported to NVIDIA against libvdpau:
+
+CVE-2015-5198
+CVE-2015-5199
+CVE-2015-5200
+
+To address these CVEs, this patch:
+
+- replaces all uses of getenv(3) with secure_getenv(3);
+- uses secure_getenv(3) when available, with a fallback option;
+- protects VDPAU_DRIVER against directory traversal by checking for '/'
+
+On platforms where secure_getenv(3) is not available, the C preprocessor
+will print a warning at compile time. Then, a preprocessor macro will
+replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
+
+ getuid() == geteuid() && getgid() == getegid()
+
+See getuid(2) and getgid(2) for further details.
+
+Signed-off-by: Aaron Plattner <aplatt...@nvidia.com>
+Reviewed-by: Florian Weimer <fwei...@redhat.com>
+---
+ configure.ac | 4 ++++
+ src/Makefile.am | 1 +
+ src/mesa_dri2.c | 6 ++++--
+ src/util.h | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ src/vdpau_wrapper.c | 28 ++++++++++++++++------------
+ trace/vdpau_trace.cpp | 8 +++++---
+ 6 files changed, 78 insertions(+), 17 deletions(-)
+ create mode 100644 src/util.h
+
+diff --git a/configure.ac b/configure.ac
+index 29ad593..0f7d1da 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -6,6 +6,10 @@ AM_MAINTAINER_MODE
+
+ AC_CONFIG_HEADERS(config.h)
+
++# Check for secure_getenv
++AC_USE_SYSTEM_EXTENSIONS
++AC_CHECK_FUNCS([__secure_getenv secure_getenv])
++
+ # Disable static libraries by default. Use --enable-static if you really want
+ # them.
+ AC_DISABLE_STATIC
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 32daa8e..ef72f43 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -9,6 +9,7 @@ lib_LTLIBRARIES = libvdpau.la
+
+ libvdpau_la_SOURCES = \
+ vdpau_wrapper.c \
++ util.h \
+ $(DRI2_SOURCES)
+
+ if DRI2
+diff --git a/src/mesa_dri2.c b/src/mesa_dri2.c
+index 5f7146a..51e8794 100644
+--- a/src/mesa_dri2.c
++++ b/src/mesa_dri2.c
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright © 2008 Red Hat, Inc.
+- * Copyright © 2010 NVIDIA Corporation
++ * Copyright © 2010-2015 NVIDIA Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Soft-
+@@ -30,6 +30,7 @@
+ * Authors:
+ * Kristian Høgsberg (k...@redhat.com)
+ * Modified for VDPAU by Aaron Plattner (aplatt...@nvidia.com)
++ * and José Hiram Soltren (jsolt...@nvidia.com)
+ */
+
+
+@@ -39,6 +40,7 @@
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/dri2proto.h>
+ #include "mesa_dri2.h"
++#include "util.h"
+
+ static char dri2ExtensionName[] = DRI2_NAME;
+ static XExtensionInfo *dri2Info;
+@@ -130,7 +132,7 @@ _vdp_DRI2Connect(Display * dpy, XID window, char **driverName, char **deviceName
+ req->driverType = DRI2DriverVDPAU;
+ #ifdef DRI2DriverPrimeShift
+ {
+- char *prime = getenv("DRI_PRIME");
++ char *prime = secure_getenv("DRI_PRIME");
+ if (prime) {
+ unsigned int primeid;
+ errno = 0;
+diff --git a/src/util.h b/src/util.h
+new file mode 100644
+index 0000000..1452c06
+--- /dev/null
++++ b/src/util.h
+@@ -0,0 +1,48 @@
++/*
++ * Copyright (c) 2015 NVIDIA Corporation
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <unistd.h>
++#include <stdlib.h>
++
++static char * getenv_wrapper(const char *name)
++{
++ if (getuid() == geteuid() && getgid() == getegid()) {
++ return getenv(name);
++ }
++ else {
++ return NULL;
++ }
++}
++
++#ifndef HAVE_SECURE_GETENV
++# ifdef HAVE___SECURE_GETENV
++# define secure_getenv __secure_getenv
++# else
++# warning Neither secure_getenv nor __secure_getenv is available.
++# define secure_getenv getenv_wrapper
++# endif
++#endif
+diff --git a/src/vdpau_wrapper.c b/src/vdpau_wrapper.c
+index e273bcf..42f705c 100644
+--- a/src/vdpau_wrapper.c
++++ b/src/vdpau_wrapper.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+@@ -36,6 +36,7 @@
+ #include "mesa_dri2.h"
+ #include <X11/Xlib.h>
+ #endif
++#include "util.h"
+
+ typedef void SetDllHandle(
+ void * driver_dll_handle
+@@ -122,7 +123,12 @@ static VdpStatus _vdp_open_driver(
+ char const * func_name;
+ char const ** module_path;
+
+- vdpau_driver = getenv("VDPAU_DRIVER");
++ vdpau_driver = secure_getenv("VDPAU_DRIVER");
++ if (vdpau_driver) {
++ if (strchr(vdpau_driver, '/')) {
++ vdpau_driver = NULL;
++ }
++ }
+ if (!vdpau_driver) {
+ vdpau_driver = vdpau_driver_dri2 =
+ _vdp_get_driver_name_from_dri2(display, screen);
+@@ -133,15 +139,13 @@ static VdpStatus _vdp_open_driver(
+
+ _vdp_driver_dll = NULL;
+
+- if (geteuid() == getuid()) {
+- /* don't allow setuid apps to use VDPAU_DRIVER_PATH */
+- vdpau_driver_path = getenv("VDPAU_DRIVER_PATH");
+- if (vdpau_driver_path &&
+- snprintf(vdpau_driver_lib, sizeof(vdpau_driver_lib),
+- DRIVER_LIB_FORMAT, vdpau_driver_path, vdpau_driver) <
+- sizeof(vdpau_driver_lib)) {
+- _vdp_driver_dll = dlopen(vdpau_driver_lib, RTLD_NOW | RTLD_GLOBAL);
+- }
++ /* Don't allow setuid apps to use VDPAU_DRIVER_PATH */
++ vdpau_driver_path = secure_getenv("VDPAU_DRIVER_PATH");
++ if (vdpau_driver_path &&
++ snprintf(vdpau_driver_lib, sizeof(vdpau_driver_lib),
++ DRIVER_LIB_FORMAT, vdpau_driver_path, vdpau_driver) <
++ sizeof(vdpau_driver_lib)) {
++ _vdp_driver_dll = dlopen(vdpau_driver_lib, RTLD_NOW | RTLD_GLOBAL);
+ }
+
+ /* Fallback to VDPAU_MODULEDIR when VDPAU_DRIVER_PATH is not set,
+@@ -181,7 +185,7 @@ static VdpStatus _vdp_open_driver(
+
+ _vdp_backend_dll = _vdp_driver_dll;
+
+- vdpau_trace = getenv("VDPAU_TRACE");
++ vdpau_trace = secure_getenv("VDPAU_TRACE");
+ if (vdpau_trace && atoi(vdpau_trace)) {
+ SetDllHandle * set_dll_handle;
+
+diff --git a/trace/vdpau_trace.cpp b/trace/vdpau_trace.cpp
+index 31c988a..05a0530 100644
+--- a/trace/vdpau_trace.cpp
++++ b/trace/vdpau_trace.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+@@ -31,6 +31,8 @@
+ #include <string.h>
+ #include <vdpau/vdpau_x11.h>
+
++#include "../src/util.h"
++
+ #define _VDP_TRACE_ARSIZE(_x_) ((sizeof (_x_)) / (sizeof ((_x_)[0])))
+
+ #if DEBUG
+@@ -4558,13 +4560,13 @@ VdpStatus vdp_trace_device_create_x11(
+ }
+ else {
+ _vdp_cap_data.level = 0;
+- char const * vdpau_trace = getenv("VDPAU_TRACE");
++ char const * vdpau_trace = secure_getenv("VDPAU_TRACE");
+ if (vdpau_trace) {
+ _vdp_cap_data.level = atoi(vdpau_trace);
+ }
+
+ _vdp_cap_data.fp = 0;
+- char const * vdpau_trace_file = getenv("VDPAU_TRACE_FILE");
++ char const * vdpau_trace_file = secure_getenv("VDPAU_TRACE_FILE");
+ if (vdpau_trace_file && strlen(vdpau_trace_file)) {
+ if (vdpau_trace_file[0] == '&') {
+ int fd = atoi(&vdpau_trace_file[1]);
diff -Nru libvdpau-0.8/debian/patches/series libvdpau-0.8/debian/patches/series
--- libvdpau-0.8/debian/patches/series 2014-10-19 21:23:00.000000000 +0100
+++ libvdpau-0.8/debian/patches/series 2015-09-05 11:34:04.000000000 +0100
@@ -4,3 +4,4 @@
simplify-dlopen-path-length-error-handling.patch
vdpau-module-searchpath.patch
hardening.patch
+0007-Use-secure_getenv-3-to-improve-security.patch
diff -Nru libvdpau-0.4.1/debian/changelog libvdpau-0.4.1/debian/changelog
--- libvdpau-0.4.1/debian/changelog 2012-08-16 01:21:22.000000000 +0100
+++ libvdpau-0.4.1/debian/changelog 2015-09-05 10:45:02.000000000 +0100
@@ -1,3 +1,12 @@
+libvdpau (0.4.1-7+deb7u1) wheezy-security; urgency=high
+
+ * Patch for CVE 2015-5198, 2015-5199, 2015-5200
+ - Use secure_getenv(3) to improve security
+ (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
+ * Add myself to Uploaders
+
+ -- Luca Boccassi <luca.bocca...@gmail.com> Sat, 05 Sep 2015 01:12:01 +0100
+
libvdpau (0.4.1-7) unstable; urgency=low
* The last (and only) reverse dependency of lib32vdpau1 was the non-free
diff -Nru libvdpau-0.4.1/debian/control libvdpau-0.4.1/debian/control
--- libvdpau-0.4.1/debian/control 2012-08-16 01:21:22.000000000 +0100
+++ libvdpau-0.4.1/debian/control 2015-09-05 10:45:02.000000000 +0100
@@ -7,6 +7,7 @@
Andres Mejia <ame...@debian.org>,
Russ Allbery <r...@debian.org>,
Andreas Beckmann <deb...@abeckmann.de>,
+ Luca Boccassi <luca.bocca...@gmail.com>,
DM-Upload-Allowed: yes
Build-Depends:
debhelper (>= 9),
diff -Nru libvdpau-0.4.1/debian/patches/0006-Use-secure_getenv-3-to-improve-security.patch libvdpau-0.4.1/debian/patches/0006-Use-secure_getenv-3-to-improve-security.patch
--- libvdpau-0.4.1/debian/patches/0006-Use-secure_getenv-3-to-improve-security.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvdpau-0.4.1/debian/patches/0006-Use-secure_getenv-3-to-improve-security.patch 2015-09-05 10:45:02.000000000 +0100
@@ -0,0 +1,195 @@
+From: José Hiram Soltren <jsolt...@nvidia.com>
+Date: Mon, 17 Aug 2015 16:01:44 -0500
+Subject: Use secure_getenv(3) to improve security
+
+This patch is in response to the following security vulnerabilities
+(CVEs) reported to NVIDIA against libvdpau:
+
+CVE-2015-5198
+CVE-2015-5199
+CVE-2015-5200
+
+To address these CVEs, this patch:
+
+- replaces all uses of getenv(3) with secure_getenv(3);
+- uses secure_getenv(3) when available, with a fallback option;
+- protects VDPAU_DRIVER against directory traversal by checking for '/'
+
+On platforms where secure_getenv(3) is not available, the C preprocessor
+will print a warning at compile time. Then, a preprocessor macro will
+replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
+
+ getuid() == geteuid() && getgid() == getegid()
+
+See getuid(2) and getgid(2) for further details.
+
+Signed-off-by: Aaron Plattner <aplatt...@nvidia.com>
+Reviewed-by: Florian Weimer <fwei...@redhat.com>
+---
+ configure.ac | 4 ++++
+ src/Makefile.am | 1 +
+ src/util.h | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ src/vdpau_wrapper.c | 12 +++++++++---
+ trace/vdpau_trace.cpp | 8 +++++---
+ 5 files changed, 67 insertions(+), 6 deletions(-)
+ create mode 100644 src/util.h
+
+diff --git a/configure.ac b/configure.ac
+index 7bcee26..1db03b8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -6,6 +6,10 @@ AM_MAINTAINER_MODE
+
+ AM_CONFIG_HEADER(config.h)
+
++# Check for secure_getenv
++AC_USE_SYSTEM_EXTENSIONS
++AC_CHECK_FUNCS([__secure_getenv secure_getenv])
++
+ # Disable static libraries by default. Use --enable-static if you really want
+ # them.
+ AC_DISABLE_STATIC
+diff --git a/src/Makefile.am b/src/Makefile.am
+index e216887..6bd0338 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -9,6 +9,7 @@ lib_LTLIBRARIES = libvdpau.la
+
+ libvdpau_la_SOURCES = \
+ vdpau_wrapper.c \
++ util.h \
+ $(DRI2_SOURCES)
+
+ if DRI2
+diff --git a/src/util.h b/src/util.h
+new file mode 100644
+index 0000000..1452c06
+--- /dev/null
++++ b/src/util.h
+@@ -0,0 +1,48 @@
++/*
++ * Copyright (c) 2015 NVIDIA Corporation
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <unistd.h>
++#include <stdlib.h>
++
++static char * getenv_wrapper(const char *name)
++{
++ if (getuid() == geteuid() && getgid() == getegid()) {
++ return getenv(name);
++ }
++ else {
++ return NULL;
++ }
++}
++
++#ifndef HAVE_SECURE_GETENV
++# ifdef HAVE___SECURE_GETENV
++# define secure_getenv __secure_getenv
++# else
++# warning Neither secure_getenv nor __secure_getenv is available.
++# define secure_getenv getenv_wrapper
++# endif
++#endif
+diff --git a/src/vdpau_wrapper.c b/src/vdpau_wrapper.c
+index d67aa52..7d1a44b 100644
+--- a/src/vdpau_wrapper.c
++++ b/src/vdpau_wrapper.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+@@ -35,6 +35,7 @@
+ #include "mesa_dri2.h"
+ #include <X11/Xlib.h>
+ #endif
++#include "util.h"
+
+ typedef void SetDllHandle(
+ void * driver_dll_handle
+@@ -117,7 +118,12 @@ static VdpStatus _vdp_open_driver(
+ char const * func_name;
+ char const ** module_path;
+
+- vdpau_driver = getenv("VDPAU_DRIVER");
++ vdpau_driver = secure_getenv("VDPAU_DRIVER");
++ if (vdpau_driver) {
++ if (strchr(vdpau_driver, '/')) {
++ vdpau_driver = NULL;
++ }
++ }
+ if (!vdpau_driver) {
+ vdpau_driver = vdpau_driver_dri2 =
+ _vdp_get_driver_name_from_dri2(display, screen);
+@@ -163,7 +169,7 @@ static VdpStatus _vdp_open_driver(
+
+ _vdp_backend_dll = _vdp_driver_dll;
+
+- vdpau_trace = getenv("VDPAU_TRACE");
++ vdpau_trace = secure_getenv("VDPAU_TRACE");
+ if (vdpau_trace && atoi(vdpau_trace)) {
+ SetDllHandle * set_dll_handle;
+
+diff --git a/trace/vdpau_trace.cpp b/trace/vdpau_trace.cpp
+index 821209a..81db2fb 100644
+--- a/trace/vdpau_trace.cpp
++++ b/trace/vdpau_trace.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+@@ -31,6 +31,8 @@
+ #include <string.h>
+ #include <vdpau/vdpau_x11.h>
+
++#include "../src/util.h"
++
+ #define _VDP_TRACE_ARSIZE(_x_) ((sizeof (_x_)) / (sizeof ((_x_)[0])))
+
+ #if DEBUG
+@@ -4575,13 +4577,13 @@ VdpStatus vdp_trace_device_create_x11(
+ }
+ else {
+ _vdp_cap_data.level = 0;
+- char const * vdpau_trace = getenv("VDPAU_TRACE");
++ char const * vdpau_trace = secure_getenv("VDPAU_TRACE");
+ if (vdpau_trace) {
+ _vdp_cap_data.level = atoi(vdpau_trace);
+ }
+
+ _vdp_cap_data.fp = 0;
+- char const * vdpau_trace_file = getenv("VDPAU_TRACE_FILE");
++ char const * vdpau_trace_file = secure_getenv("VDPAU_TRACE_FILE");
+ if (vdpau_trace_file && strlen(vdpau_trace_file)) {
+ if (vdpau_trace_file[0] == '&') {
+ int fd = atoi(&vdpau_trace_file[1]);
diff -Nru libvdpau-0.4.1/debian/patches/series libvdpau-0.4.1/debian/patches/series
--- libvdpau-0.4.1/debian/patches/series 2012-08-16 01:21:22.000000000 +0100
+++ libvdpau-0.4.1/debian/patches/series 2015-09-05 10:45:02.000000000 +0100
@@ -3,3 +3,4 @@
simplify-dlopen-path-length-error-handling.patch
vdpau-module-searchpath.patch
libvdpau_flashplayer.patch
+0006-Use-secure_getenv-3-to-improve-security.patch
diff -Nru libvdpau-0.4.1/debian/changelog libvdpau-0.4.1/debian/changelog
--- libvdpau-0.4.1/debian/changelog 2010-11-12 22:18:12.000000000 +0000
+++ libvdpau-0.4.1/debian/changelog 2015-09-05 12:46:15.000000000 +0100
@@ -1,3 +1,12 @@
+libvdpau (0.4.1-2+deb6u1) squeeze-security; urgency=high
+
+ * Patch for CVE 2015-5198, 2015-5199, 2015-5200
+ - Use secure_getenv(3) to improve security
+ (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
+ * Add myself to Uploaders
+
+ -- Luca Boccassi <luca.bocca...@gmail.com> Sat, 05 Sep 2015 01:41:37 +0100
+
libvdpau (0.4.1-2) unstable; urgency=high
* Provide an upload to unstable to fix build failure. (Closes: #603220)
diff -Nru libvdpau-0.4.1/debian/control libvdpau-0.4.1/debian/control
--- libvdpau-0.4.1/debian/control 2010-09-20 18:14:00.000000000 +0100
+++ libvdpau-0.4.1/debian/control 2015-09-05 12:46:14.000000000 +0100
@@ -3,7 +3,8 @@
Priority: optional
Maintainer: Debian NVIDIA Maintainers <pkg-nvidia-de...@lists.alioth.debian.org>
Uploaders: Jean-Yves Avenard <jyaven...@gmail.com>,
- Andres Mejia <mcita...@gmail.com>, Russ Allbery <r...@debian.org>
+ Andres Mejia <mcita...@gmail.com>, Russ Allbery <r...@debian.org>,
+ Luca Boccassi <luca.bocca...@gmail.com>
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~), pkg-config, libx11-dev,
x11proto-dri2-dev (>= 2.2), libxext-dev,
diff -Nru libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch
--- libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch 2015-09-05 12:45:39.000000000 +0100
@@ -0,0 +1,195 @@
+From: José Hiram Soltren <jsolt...@nvidia.com>
+Date: Mon, 17 Aug 2015 16:01:44 -0500
+Subject: Use secure_getenv(3) to improve security
+
+This patch is in response to the following security vulnerabilities
+(CVEs) reported to NVIDIA against libvdpau:
+
+CVE-2015-5198
+CVE-2015-5199
+CVE-2015-5200
+
+To address these CVEs, this patch:
+
+- replaces all uses of getenv(3) with secure_getenv(3);
+- uses secure_getenv(3) when available, with a fallback option;
+- protects VDPAU_DRIVER against directory traversal by checking for '/'
+
+On platforms where secure_getenv(3) is not available, the C preprocessor
+will print a warning at compile time. Then, a preprocessor macro will
+replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
+
+ getuid() == geteuid() && getgid() == getegid()
+
+See getuid(2) and getgid(2) for further details.
+
+Signed-off-by: Aaron Plattner <aplatt...@nvidia.com>
+Reviewed-by: Florian Weimer <fwei...@redhat.com>
+---
+ configure.ac | 4 ++++
+ src/Makefile.am | 1 +
+ src/util.h | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ src/vdpau_wrapper.c | 12 +++++++++---
+ trace/vdpau_trace.cpp | 8 +++++---
+ 5 files changed, 67 insertions(+), 6 deletions(-)
+ create mode 100644 src/util.h
+
+diff --git a/configure.ac b/configure.ac
+index 7bcee26..1db03b8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -6,6 +6,10 @@ AM_MAINTAINER_MODE
+
+ AM_CONFIG_HEADER(config.h)
+
++# Check for secure_getenv
++AC_USE_SYSTEM_EXTENSIONS
++AC_CHECK_FUNCS([__secure_getenv secure_getenv])
++
+ # Disable static libraries by default. Use --enable-static if you really want
+ # them.
+ AC_DISABLE_STATIC
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 46d7020..1599fbd 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -8,6 +8,7 @@ lib_LTLIBRARIES = libvdpau.la
+
+ libvdpau_la_SOURCES = \
+ vdpau_wrapper.c \
++ util.h \
+ $(DRI2_SOURCES)
+
+ if DRI2
+diff --git a/src/util.h b/src/util.h
+new file mode 100644
+index 0000000..1452c06
+--- /dev/null
++++ b/src/util.h
+@@ -0,0 +1,48 @@
++/*
++ * Copyright (c) 2015 NVIDIA Corporation
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <unistd.h>
++#include <stdlib.h>
++
++static char * getenv_wrapper(const char *name)
++{
++ if (getuid() == geteuid() && getgid() == getegid()) {
++ return getenv(name);
++ }
++ else {
++ return NULL;
++ }
++}
++
++#ifndef HAVE_SECURE_GETENV
++# ifdef HAVE___SECURE_GETENV
++# define secure_getenv __secure_getenv
++# else
++# warning Neither secure_getenv nor __secure_getenv is available.
++# define secure_getenv getenv_wrapper
++# endif
++#endif
+diff --git a/src/vdpau_wrapper.c b/src/vdpau_wrapper.c
+index f504775..69d19d8 100644
+--- a/src/vdpau_wrapper.c
++++ b/src/vdpau_wrapper.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+@@ -35,6 +35,7 @@
+ #include "mesa_dri2.h"
+ #include <X11/Xlib.h>
+ #endif
++#include "util.h"
+
+ typedef void SetDllHandle(
+ void * driver_dll_handle
+@@ -104,7 +105,12 @@ VdpStatus vdp_device_create_x11(
+
+ VdpDeviceCreateX11 * vdp_imp_device_create_x11;
+
+- vdpau_driver = getenv("VDPAU_DRIVER");
++ vdpau_driver = secure_getenv("VDPAU_DRIVER");
++ if (vdpau_driver) {
++ if (strchr(vdpau_driver, '/')) {
++ vdpau_driver = NULL;
++ }
++ }
+ if (!vdpau_driver) {
+ vdpau_driver = vdpau_driver_dri2 =
+ _vdp_get_driver_name_from_dri2(display, screen);
+@@ -145,7 +151,7 @@ VdpStatus vdp_device_create_x11(
+ return VDP_STATUS_NO_IMPLEMENTATION;
+ }
+
+- vdpau_trace = getenv("VDPAU_TRACE");
++ vdpau_trace = secure_getenv("VDPAU_TRACE");
+ if (vdpau_trace && atoi(vdpau_trace)) {
+ void * trace_dll;
+ SetDllHandle * set_dll_handle;
+diff --git a/trace/vdpau_trace.cpp b/trace/vdpau_trace.cpp
+index 821209a..81db2fb 100644
+--- a/trace/vdpau_trace.cpp
++++ b/trace/vdpau_trace.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+@@ -31,6 +31,8 @@
+ #include <string.h>
+ #include <vdpau/vdpau_x11.h>
+
++#include "../src/util.h"
++
+ #define _VDP_TRACE_ARSIZE(_x_) ((sizeof (_x_)) / (sizeof ((_x_)[0])))
+
+ #if DEBUG
+@@ -4575,13 +4577,13 @@ VdpStatus vdp_trace_device_create_x11(
+ }
+ else {
+ _vdp_cap_data.level = 0;
+- char const * vdpau_trace = getenv("VDPAU_TRACE");
++ char const * vdpau_trace = secure_getenv("VDPAU_TRACE");
+ if (vdpau_trace) {
+ _vdp_cap_data.level = atoi(vdpau_trace);
+ }
+
+ _vdp_cap_data.fp = 0;
+- char const * vdpau_trace_file = getenv("VDPAU_TRACE_FILE");
++ char const * vdpau_trace_file = secure_getenv("VDPAU_TRACE_FILE");
+ if (vdpau_trace_file && strlen(vdpau_trace_file)) {
+ if (vdpau_trace_file[0] == '&') {
+ int fd = atoi(&vdpau_trace_file[1]);
diff -Nru libvdpau-0.4.1/debian/patches/series libvdpau-0.4.1/debian/patches/series
--- libvdpau-0.4.1/debian/patches/series 2010-11-12 22:19:15.000000000 +0000
+++ libvdpau-0.4.1/debian/patches/series 2015-09-05 12:44:54.000000000 +0100
@@ -1,3 +1,4 @@
link-with-libx11.patch
autoreconf_-fi.patch
debian-changes-0.4.1-2
+0004-Use-secure_getenv-3-to-improve-security.patch
signature.asc
Description: This is a digitally signed message part
