main/libvdpau: security fix for CVE-2015-5198,CVE-2015-5199,CVE-2015-5200

author: Eivind Uggedal <eivind@uggedal.com> 2015-09-30 20:26:41 +0000
committer: Eivind Uggedal <eivind@uggedal.com> 2015-09-30 20:26:41 +0000
commit: 7b46352576c9f78aff928e671a222f2f7fe4da1d (patch)
tree: 9556e7795583c50c129d9c0328774238e4f8770e
parent: d73619d3861f2b45488c21a45a8670434b16c27a (diff)
2 files changed, 273 insertions, 8 deletions
diff --git a/main/libvdpau/APKBUILD b/main/libvdpau/APKBUILD
index eef6d7d8b14..05cb4a1c757 100644
--- a/main/libvdpau/APKBUILD
+++ b/main/libvdpau/APKBUILD
@@ -2,23 +2,29 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libvdpau
 pkgver=0.8
-pkgrel=0
+pkgrel=1
 pkgdesc="Nvidia VDPAU library"
 url="http://cgit.freedesktop.org/~aplattner/libvdpau"
 arch="all"
 license="custom"
 depends=
-makedepends="libx11-dev dri2proto libxext-dev"
+makedepends="libx11-dev dri2proto libxext-dev autoconf automake
+	libtool"
 install=
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://people.freedesktop.org/~aplattner/vdpau/${pkgname}-${pkgver}.tar.gz"
+source="http://people.freedesktop.org/~aplattner/vdpau/${pkgname}-${pkgver}.tar.gz
+	CVE-2015-5198_CVE-2015-5199_CVE-2015-5200.patch"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 
 prepare() {
 	cd "$_builddir"
-	update_config_sub || return 1
-	# apply patches here
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+	autoreconf -fisv || return 1
 }
 
 build() {
@@ -44,6 +50,9 @@ package() {
 	install -m644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/" || return 1
 }
 
-md5sums="acf68adc8b8ff4f72be6e8679abc284e  libvdpau-0.8.tar.gz"
-sha256sums="73a7d11cc1abed8bcaf1392bd361fc00fd43bd85bbeafb12a64bdd0bcb4101ed  libvdpau-0.8.tar.gz"
-sha512sums="c7e7c74f4849f83bed170f4428c381f868f34cbb59444c4e65af4ad1eac19ea9450aa422b35af6c031c2b168a73282fe7bf96d69d5581f24d3c689aa849d1c56  libvdpau-0.8.tar.gz"
+md5sums="acf68adc8b8ff4f72be6e8679abc284e  libvdpau-0.8.tar.gz
+3332c0842ceabfee5de00f316edd7dcb  CVE-2015-5198_CVE-2015-5199_CVE-2015-5200.patch"
+sha256sums="73a7d11cc1abed8bcaf1392bd361fc00fd43bd85bbeafb12a64bdd0bcb4101ed  libvdpau-0.8.tar.gz
+ecb31cb74afe1f46275d82eb02857c9f050a190fdcc51c1ae6ad1b5b1476d6e8  CVE-2015-5198_CVE-2015-5199_CVE-2015-5200.patch"
+sha512sums="c7e7c74f4849f83bed170f4428c381f868f34cbb59444c4e65af4ad1eac19ea9450aa422b35af6c031c2b168a73282fe7bf96d69d5581f24d3c689aa849d1c56  libvdpau-0.8.tar.gz
+afbe8228e0dce60fbded5f867277eb4b9cc77fbad673658b7cfdd2c28149373e482db8c5d48961f870394eec218da4655c2e53bd211e88b0e4cefd1370153b6b  CVE-2015-5198_CVE-2015-5199_CVE-2015-5200.patch"
diff --git a/main/libvdpau/CVE-2015-5198_CVE-2015-5199_CVE-2015-5200.patch b/main/libvdpau/CVE-2015-5198_CVE-2015-5199_CVE-2015-5200.patch
new file mode 100644
index 00000000000..6636a751024
--- /dev/null
+++ b/main/libvdpau/CVE-2015-5198_CVE-2015-5199_CVE-2015-5200.patch
@@ -0,0 +1,256 @@
+From: José Hiram Soltren <jsoltren@nvidia.com>
+Date: Mon, 17 Aug 2015 16:01:44 -0500
+Subject: Use secure_getenv(3) to improve security
+
+This patch is in response to the following security vulnerabilities
+(CVEs) reported to NVIDIA against libvdpau:
+
+CVE-2015-5198
+CVE-2015-5199
+CVE-2015-5200
+
+To address these CVEs, this patch:
+
+- replaces all uses of getenv(3) with secure_getenv(3);
+- uses secure_getenv(3) when available, with a fallback option;
+- protects VDPAU_DRIVER against directory traversal by checking for '/'
+
+On platforms where secure_getenv(3) is not available, the C preprocessor
+will print a warning at compile time. Then, a preprocessor macro will
+replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
+
+  getuid() == geteuid() && getgid() == getegid()
+
+See getuid(2) and getgid(2) for further details.
+
+Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
+Reviewed-by: Florian Weimer <fweimer@redhat.com>
+---
+ configure.ac          |  4 ++++
+ src/Makefile.am       |  1 +
+ src/mesa_dri2.c       |  6 ++++--
+ src/util.h            | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ src/vdpau_wrapper.c   | 28 ++++++++++++++++------------
+ trace/vdpau_trace.cpp |  8 +++++---
+ 6 files changed, 78 insertions(+), 17 deletions(-)
+ create mode 100644 src/util.h
+
+diff --git a/configure.ac b/configure.ac
+index 29ad593..0f7d1da 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -6,6 +6,10 @@ AM_MAINTAINER_MODE
+ 
+ AC_CONFIG_HEADERS(config.h)
+ 
++# Check for secure_getenv
++AC_USE_SYSTEM_EXTENSIONS
++AC_CHECK_FUNCS([__secure_getenv secure_getenv])
++
+ # Disable static libraries by default.  Use --enable-static if you really want
+ # them.
+ AC_DISABLE_STATIC
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 32daa8e..ef72f43 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -9,6 +9,7 @@ lib_LTLIBRARIES = libvdpau.la
+ 
+ libvdpau_la_SOURCES = \
+     vdpau_wrapper.c \
++    util.h \
+     $(DRI2_SOURCES)
+ 
+ if DRI2
+diff --git a/src/mesa_dri2.c b/src/mesa_dri2.c
+index 5f7146a..51e8794 100644
+--- a/src/mesa_dri2.c
++++ b/src/mesa_dri2.c
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright © 2008 Red Hat, Inc.
+- * Copyright © 2010 NVIDIA Corporation
++ * Copyright © 2010-2015 NVIDIA Corporation
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a
+  * copy of this software and associated documentation files (the "Soft-
+@@ -30,6 +30,7 @@
+  * Authors:
+  *   Kristian Høgsberg (krh@redhat.com)
+  *   Modified for VDPAU by Aaron Plattner (aplattner@nvidia.com)
++ *   and José Hiram Soltren (jsoltren@nvidia.com)
+  */
+ 
+ 
+@@ -39,6 +40,7 @@
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/dri2proto.h>
+ #include "mesa_dri2.h"
++#include "util.h"
+ 
+ static char dri2ExtensionName[] = DRI2_NAME;
+ static XExtensionInfo *dri2Info;
+@@ -130,7 +132,7 @@ _vdp_DRI2Connect(Display * dpy, XID window, char **driverName, char **deviceName
+    req->driverType = DRI2DriverVDPAU;
+ #ifdef DRI2DriverPrimeShift
+    {
+-      char *prime = getenv("DRI_PRIME");
++      char *prime = secure_getenv("DRI_PRIME");
+       if (prime) {
+          unsigned int primeid;
+          errno = 0;
+diff --git a/src/util.h b/src/util.h
+new file mode 100644
+index 0000000..1452c06
+--- /dev/null
++++ b/src/util.h
+@@ -0,0 +1,48 @@
++/*
++ * Copyright (c) 2015 NVIDIA Corporation
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <unistd.h>
++#include <stdlib.h>
++
++static char * getenv_wrapper(const char *name)
++{
++    if (getuid() == geteuid() && getgid() == getegid()) {
++        return getenv(name);
++    }
++    else {
++        return NULL;
++    }
++}
++
++#ifndef HAVE_SECURE_GETENV
++#  ifdef HAVE___SECURE_GETENV
++#    define secure_getenv __secure_getenv
++#  else
++#    warning Neither secure_getenv nor __secure_getenv is available.
++#    define secure_getenv getenv_wrapper
++#  endif
++#endif
+diff --git a/src/vdpau_wrapper.c b/src/vdpau_wrapper.c
+index e273bcf..42f705c 100644
+--- a/src/vdpau_wrapper.c
++++ b/src/vdpau_wrapper.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+  * of this software and associated documentation files (the "Software"), to deal
+@@ -36,6 +36,7 @@
+ #include "mesa_dri2.h"
+ #include <X11/Xlib.h>
+ #endif
++#include "util.h"
+ 
+ typedef void SetDllHandle(
+     void * driver_dll_handle
+@@ -122,7 +123,12 @@ static VdpStatus _vdp_open_driver(
+     char const * func_name;
+     char const ** module_path;
+ 
+-    vdpau_driver = getenv("VDPAU_DRIVER");
++    vdpau_driver = secure_getenv("VDPAU_DRIVER");
++    if (vdpau_driver) {
++        if (strchr(vdpau_driver, '/')) {
++            vdpau_driver = NULL;
++        }
++    }
+     if (!vdpau_driver) {
+         vdpau_driver = vdpau_driver_dri2 =
+             _vdp_get_driver_name_from_dri2(display, screen);
+@@ -133,15 +139,13 @@ static VdpStatus _vdp_open_driver(
+ 
+     _vdp_driver_dll = NULL;
+ 
+-    if (geteuid() == getuid()) {
+-        /* don't allow setuid apps to use VDPAU_DRIVER_PATH */
+-        vdpau_driver_path = getenv("VDPAU_DRIVER_PATH");
+-        if (vdpau_driver_path &&
+-            snprintf(vdpau_driver_lib, sizeof(vdpau_driver_lib),
+-                     DRIVER_LIB_FORMAT, vdpau_driver_path, vdpau_driver) <
+-                sizeof(vdpau_driver_lib)) {
+-            _vdp_driver_dll = dlopen(vdpau_driver_lib, RTLD_NOW | RTLD_GLOBAL);
+-        }
++    /* Don't allow setuid apps to use VDPAU_DRIVER_PATH */
++    vdpau_driver_path = secure_getenv("VDPAU_DRIVER_PATH");
++    if (vdpau_driver_path &&
++        snprintf(vdpau_driver_lib, sizeof(vdpau_driver_lib),
++                 DRIVER_LIB_FORMAT, vdpau_driver_path, vdpau_driver) <
++            sizeof(vdpau_driver_lib)) {
++        _vdp_driver_dll = dlopen(vdpau_driver_lib, RTLD_NOW | RTLD_GLOBAL);
+     }
+ 
+     /* Fallback to VDPAU_MODULEDIR when VDPAU_DRIVER_PATH is not set,
+@@ -181,7 +185,7 @@ static VdpStatus _vdp_open_driver(
+ 
+     _vdp_backend_dll = _vdp_driver_dll;
+ 
+-    vdpau_trace = getenv("VDPAU_TRACE");
++    vdpau_trace = secure_getenv("VDPAU_TRACE");
+     if (vdpau_trace && atoi(vdpau_trace)) {
+         SetDllHandle * set_dll_handle;
+ 
+diff --git a/trace/vdpau_trace.cpp b/trace/vdpau_trace.cpp
+index 31c988a..05a0530 100644
+--- a/trace/vdpau_trace.cpp
++++ b/trace/vdpau_trace.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008-2009 NVIDIA, Corporation
++ * Copyright (c) 2008-2015 NVIDIA Corporation
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+  * of this software and associated documentation files (the "Software"), to deal
+@@ -31,6 +31,8 @@
+ #include <string.h>
+ #include <vdpau/vdpau_x11.h>
+ 
++#include "../src/util.h"
++
+ #define _VDP_TRACE_ARSIZE(_x_) ((sizeof (_x_)) / (sizeof ((_x_)[0])))
+ 
+ #if DEBUG
+@@ -4558,13 +4560,13 @@ VdpStatus vdp_trace_device_create_x11(
+     }
+     else {
+         _vdp_cap_data.level = 0;
+-        char const * vdpau_trace = getenv("VDPAU_TRACE");
++        char const * vdpau_trace = secure_getenv("VDPAU_TRACE");
+         if (vdpau_trace) {
+             _vdp_cap_data.level = atoi(vdpau_trace);
+         }
+ 
+         _vdp_cap_data.fp = 0;
+-        char const * vdpau_trace_file = getenv("VDPAU_TRACE_FILE");
++        char const * vdpau_trace_file = secure_getenv("VDPAU_TRACE_FILE");
+         if (vdpau_trace_file && strlen(vdpau_trace_file)) {
+             if (vdpau_trace_file[0] == '&') {
+                 int fd = atoi(&vdpau_trace_file[1]);
author	Eivind Uggedal <eivind@uggedal.com>	2015-09-30 20:26:41 +0000
committer	Eivind Uggedal <eivind@uggedal.com>	2015-09-30 20:26:41 +0000
commit	7b46352576c9f78aff928e671a222f2f7fe4da1d (patch)
tree	9556e7795583c50c129d9c0328774238e4f8770e
parent	d73619d3861f2b45488c21a45a8670434b16c27a (diff)