Re: squeeze update of libvdpau?

To: Santiago Ruano Rincón <santiagorr@riseup.net>
Cc: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>, debian-lts@lists.debian.org
Subject: Re: squeeze update of libvdpau?
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sat, 05 Sep 2015 13:03:35 +0100
Message-id: <[🔎] 1441454615.30813.25.camel@gmail.com>
In-reply-to: <[🔎] 20150901213056.GA13934@nomada>
References: <[🔎] 20150901213056.GA13934@nomada>

On Tue, 2015-09-01 at 23:30 +0200, Santiago Ruano Rincón wrote:
> Hello dear Debian NVIDIA Maintainers,
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of libvdpau:
> https://security-tracker.debian.org/tracker/source-package/libvdpau
> 
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.
> 
> If yes, please follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

Dear Santiago and dear LTS team,

I have backported the patch to squeeze. The debdiff is attached for
review.

As I mentioned in the bug thread opened by the Security Team [1], I have
only verified that it builds (amd64 and i386 chroots), but I am not able
to test it due to the need for hardware capable of running with squeeze
very old drivers, which I do not possess.

I have however verified that the wheezy version works, and given that
it's the same upstream release (4.1) I am reasonably confident that it
should be fine.

In the aforementioned thread [1] I have asked the Security Team whether
this upload should go through security.debian.org or through the updates
process instead, so I will wait for an answer before I start on the LTS
workflow you mentioned.

Thank you!

Kind regards,
Luca Boccassi

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797895

diff -Nru libvdpau-0.4.1/debian/changelog libvdpau-0.4.1/debian/changelog
--- libvdpau-0.4.1/debian/changelog	2010-11-12 22:18:12.000000000 +0000
+++ libvdpau-0.4.1/debian/changelog	2015-09-05 12:46:15.000000000 +0100
@@ -1,3 +1,12 @@
+libvdpau (0.4.1-2+deb6u1) squeeze-security; urgency=high
+
+  * Patch for CVE 2015-5198, 2015-5199, 2015-5200
+    - Use secure_getenv(3) to improve security
+      (CVE-2015-5198, CVE-2015-5199, CVE-2015-5200). Closes: #797895.
+  * Add myself to Uploaders
+
+ -- Luca Boccassi <luca.boccassi@gmail.com>  Sat, 05 Sep 2015 01:41:37 +0100
+
 libvdpau (0.4.1-2) unstable; urgency=high
 
   * Provide an upload to unstable to fix build failure. (Closes: #603220)
diff -Nru libvdpau-0.4.1/debian/control libvdpau-0.4.1/debian/control
--- libvdpau-0.4.1/debian/control	2010-09-20 18:14:00.000000000 +0100
+++ libvdpau-0.4.1/debian/control	2015-09-05 12:46:14.000000000 +0100
@@ -3,7 +3,8 @@
 Priority: optional
 Maintainer: Debian NVIDIA Maintainers <pkg-nvidia-devel@lists.alioth.debian.org>
 Uploaders: Jean-Yves Avenard <jyavenard@gmail.com>,
- Andres Mejia <mcitadel@gmail.com>, Russ Allbery <rra@debian.org>
+ Andres Mejia <mcitadel@gmail.com>, Russ Allbery <rra@debian.org>,
+ Luca Boccassi <luca.boccassi@gmail.com>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~), pkg-config, libx11-dev,
  x11proto-dri2-dev (>= 2.2), libxext-dev,
diff -Nru libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch
--- libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvdpau-0.4.1/debian/patches/0004-Use-secure_getenv-3-to-improve-security.patch	2015-09-05 12:45:39.000000000 +0100
@@ -0,0 +1,195 @@
+From: José Hiram Soltren <jsoltren@nvidia.com>
+Date: Mon, 17 Aug 2015 16:01:44 -0500
+Subject: Use secure_getenv(3) to improve security
+
+This patch is in response to the following security vulnerabilities
+(CVEs) reported to NVIDIA against libvdpau:
+
+CVE-2015-5198
+CVE-2015-5199
+CVE-2015-5200
+
+To address these CVEs, this patch:
+
+- replaces all uses of getenv(3) with secure_getenv(3);
+- uses secure_getenv(3) when available, with a fallback option;
+- protects VDPAU_DRIVER against directory traversal by checking for '/'
+
+On platforms where secure_getenv(3) is not available, the C preprocessor
+will print a warning at compile time. Then, a preprocessor macro will
+replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
+
+  getuid() == geteuid() && getgid() == getegid()
+
+See getuid(2) and getgid(2) for further details.
+
+Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
+Reviewed-by: Florian Weimer <fweimer@redhat.com>
+---
+ configure.ac          |  4 ++++
+ src/Makefile.am       |  1 +
+ src/util.h            | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ src/vdpau_wrapper.c   | 12 +++++++++---
+ trace/vdpau_trace.cpp |  8 +++++---
+ 5 files changed, 67 insertions(+), 6 deletions(-)
+ create mode 100644 src/util.h
+
+diff --git a/configure.ac b/configure.ac
+index 7bcee26..1db03b8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -6,6 +6,10 @@ AM_MAINTAINER_MODE
+ 
+ AM_CONFIG_HEADER(config.h)
+ 
++# Check for secure_getenv
++AC_USE_SYSTEM_EXTENSIONS
++AC_CHECK_FUNCS([__secure_getenv secure_getenv])
++
+ # Disable static libraries by default.  Use --enable-static if you really want
+ # them.
+ AC_DISABLE_STATIC
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 46d7020..1599fbd 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -8,6 +8,7 @@ lib_LTLIBRARIES = libvdpau.la
+ 
+ libvdpau_la_SOURCES = \
+     vdpau_wrapper.c \
++    util.h \
+     $(DRI2_SOURCES)
+ 
+ if DRI2
+diff --git a/src/util.h b/src/util.h
+new file mode 100644
+index 0000000..1452c06
+--- /dev/null
++++ b/src/util.h
+@@ -0,0 +1,48 @@
++/*
++ * Copyright (c) 2015 NVIDIA Corporation
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <unistd.h>
++#include <stdlib.h>
++
++static char * getenv_wrapper(const char *name)
++{
++    if (getuid() == geteuid() && getgid() == getegid()) {
++        return getenv(name);
++    }
++    else {
++        return NULL;
++    }
++}
++
++#ifndef HAVE_SECURE_GETENV
++#  ifdef HAVE___SECURE_GETENV
++#    define secure_getenv __secure_getenv
++#  else
++#    warning Neither secure_getenv nor __secure_getenv is available.
++#    define secure_getenv getenv_wrapper
++#  endif
++#endif
+diff --git a/src/vdpau_wrapper.c b/src/vdpau_wrapper.c
+index f504775..69d19d8 100644
+--- a/src/vdpau_wrapper.c
++++ b/src/vdpau_wrapper.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+  * of this software and associated documentation files (the "Software"), to deal
+@@ -35,6 +35,7 @@
+ #include "mesa_dri2.h"
+ #include <X11/Xlib.h>
+ #endif
++#include "util.h"
+ 
+ typedef void SetDllHandle(
+     void * driver_dll_handle
+@@ -104,7 +105,12 @@ VdpStatus vdp_device_create_x11(
+ 
+     VdpDeviceCreateX11 * vdp_imp_device_create_x11;
+ 
+-    vdpau_driver = getenv("VDPAU_DRIVER");
++    vdpau_driver = secure_getenv("VDPAU_DRIVER");
++    if (vdpau_driver) {
++        if (strchr(vdpau_driver, '/')) {
++            vdpau_driver = NULL;
++        }
++    }
+     if (!vdpau_driver) {
+         vdpau_driver = vdpau_driver_dri2 =
+             _vdp_get_driver_name_from_dri2(display, screen);
+@@ -145,7 +151,7 @@ VdpStatus vdp_device_create_x11(
+         return VDP_STATUS_NO_IMPLEMENTATION;
+     }
+ 
+-    vdpau_trace = getenv("VDPAU_TRACE");
++    vdpau_trace = secure_getenv("VDPAU_TRACE");
+     if (vdpau_trace && atoi(vdpau_trace)) {
+         void *         trace_dll;
+         SetDllHandle * set_dll_handle;
+diff --git a/trace/vdpau_trace.cpp b/trace/vdpau_trace.cpp
+index 821209a..81db2fb 100644
+--- a/trace/vdpau_trace.cpp
++++ b/trace/vdpau_trace.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+  * of this software and associated documentation files (the "Software"), to deal
+@@ -31,6 +31,8 @@
+ #include <string.h>
+ #include <vdpau/vdpau_x11.h>
+ 
++#include "../src/util.h"
++
+ #define _VDP_TRACE_ARSIZE(_x_) ((sizeof (_x_)) / (sizeof ((_x_)[0])))
+ 
+ #if DEBUG
+@@ -4575,13 +4577,13 @@ VdpStatus vdp_trace_device_create_x11(
+     }
+     else {
+         _vdp_cap_data.level = 0;
+-        char const * vdpau_trace = getenv("VDPAU_TRACE");
++        char const * vdpau_trace = secure_getenv("VDPAU_TRACE");
+         if (vdpau_trace) {
+             _vdp_cap_data.level = atoi(vdpau_trace);
+         }
+ 
+         _vdp_cap_data.fp = 0;
+-        char const * vdpau_trace_file = getenv("VDPAU_TRACE_FILE");
++        char const * vdpau_trace_file = secure_getenv("VDPAU_TRACE_FILE");
+         if (vdpau_trace_file && strlen(vdpau_trace_file)) {
+             if (vdpau_trace_file[0] == '&') {
+                 int fd = atoi(&vdpau_trace_file[1]);
diff -Nru libvdpau-0.4.1/debian/patches/series libvdpau-0.4.1/debian/patches/series
--- libvdpau-0.4.1/debian/patches/series	2010-11-12 22:19:15.000000000 +0000
+++ libvdpau-0.4.1/debian/patches/series	2015-09-05 12:44:54.000000000 +0100
@@ -1,3 +1,4 @@
 link-with-libx11.patch
 autoreconf_-fi.patch
 debian-changes-0.4.1-2
+0004-Use-secure_getenv-3-to-improve-security.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: squeeze update of libvdpau?
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

References:
- squeeze update of libvdpau?
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: Re: VirtualBox support in squeeze LTS
Next by Date: Re: squeeze update of libvdpau?
Previous by thread: Re: squeeze update of libvdpau?
Next by thread: Re: squeeze update of libvdpau?
Index(es):
- Date
- Thread