commit af517f56d64118520aa0c8456318dd9ec3307e94 Author: Aaron Plattner <aplattner@nvidia.com> Date: Mon Aug 31 13:59:50 2015 -0700 Bump version to 1.1.1 Signed-off-by: Aaron Plattner <aplattner@nvidia.com> commit d1f9c16b1a8187110e501c9116d21ffee25c0ba4 Author: José Hiram Soltren <jsoltren@nvidia.com> Date: Mon Aug 17 16:01:44 2015 -0500 Use secure_getenv(3) to improve security This patch is in response to the following security vulnerabilities (CVEs) reported to NVIDIA against libvdpau: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 To address these CVEs, this patch: - replaces all uses of getenv(3) with secure_getenv(3); - uses secure_getenv(3) when available, with a fallback option; - protects VDPAU_DRIVER against directory traversal by checking for '/' On platforms where secure_getenv(3) is not available, the C preprocessor will print a warning at compile time. Then, a preprocessor macro will replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check: getuid() == geteuid() && getgid() == getegid() See getuid(2) and getgid(2) for further details. Signed-off-by: Aaron Plattner <aplattner@nvidia.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>
CC arches when it can go to stable, thanks.
Arch teams, please test and mark stable: =x11-libs/libvdpau-1.1.1 Targeted stable KEYWORDS : amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work. GLSA Vote: No
Maintainer(s), Thank you for you for cleanup.
GLSA Vote: No