Bug 1224413 (CVE-2023-39929)

Summary:	VUL-0: CVE-2023-39929: libva: uncontrolled search path may allow an authenticated user to escalate privilege via local access
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Stefan Dirsch <sndirsch>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	carlos.lopez, gfx-bugs, jimmy, smash_bz
Version:	unspecified	Flags:	sndirsch: needinfo? (carlos.lopez)
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/406097/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-39929:6.7:(AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-05-17 11:47:16 UTC

Uncontrolled search path in some Libva software maintained by Intel(R) before version 2.20.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39929
https://www.cve.org/CVERecord?id=CVE-2023-39929
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01012.html

Comment 1 Stefan Dirsch 2024-05-17 12:09:49 UTC

Are there already patches available?

Comment 2 Carlos López 2024-05-17 12:14:55 UTC

(In reply to Stefan Dirsch from comment #1)
> Are there already patches available?

Nothing given by Intel as far as I can tell. I guess it's something in between 2.19 and 2.20:
https://github.com/intel/libva/compare/2.19.0...2.20.0

Comment 3 Carlos López 2024-05-17 12:38:56 UTC

(In reply to SMASH SMASH from comment #0)
> Uncontrolled search path in some Libva software maintained by Intel(R)
> before version 2.20.0 (...)

We have:
 - SUSE:SLE-12-SP3:Update/libva       1.7.3
 - SUSE:SLE-12-SP5:Update/libva       2.3.0
 - SUSE:SLE-15:Update/libva           2.0.0
 - SUSE:SLE-15-SP1:Update/libva       2.3.0
 - SUSE:SLE-15-SP4:Update/libva       2.13.0
 - SUSE:SLE-15-SP2:Update/libva       2.5.0
 - SUSE:SLE-15-SP5:Update/libva       2.16.0
 - SUSE:SLE-15-SP3:Update/libva       2.10.0
 - SUSE:SLE-15-SP6:Update/libva       2.20.0
 - SUSE:ALP:Source:Standard:1.0/libva 2.20.0
 - SUSE:SLFO:Main/libva               2.20.0

Comment 4 Carlos López 2024-05-17 12:43:14 UTC

Tracking:
 - SUSE:SLE-12-SP3:Update/libva       Affected
 - SUSE:SLE-12-SP5:Update/libva       Affected
 - SUSE:SLE-15:Update/libva           Affected (reactive support only)
 - SUSE:SLE-15-SP1:Update/libva       Affected (reactive support only)
 - SUSE:SLE-15-SP4:Update/libva       Affected
 - SUSE:SLE-15-SP2:Update/libva       Affected (LTSS only)
 - SUSE:SLE-15-SP3:Update/libva       Affected (LTSS only)
 - SUSE:SLE-15-SP5:Update/libva       Affected
 - SUSE:SLE-15-SP6:Update/libva       Already fixed
 - SUSE:ALP:Source:Standard:1.0/libva Already fixed
 - SUSE:SLFO:Main/libva               Already fixed

Comment 5 Stefan Dirsch 2024-05-17 13:10:58 UTC

(In reply to Carlos López from comment #2)
> (In reply to Stefan Dirsch from comment #1)
> > Are there already patches available?
> 
> Nothing given by Intel as far as I can tell. I guess it's something in
> between 2.19 and 2.20:
> https://github.com/intel/libva/compare/2.19.0...2.20.0

Probably some of the hunks related to  vaGetDriverNames (...). I need the precise git commits to backport it.

Comment 6 Stefan Dirsch 2024-06-12 12:15:01 UTC

@Carlos ping!

Comment 7 Stefan Dirsch 2024-07-08 14:05:03 UTC

@Carlos Hello? ping!

Comment 10 Stefan Dirsch 2024-07-17 09:44:51 UTC

So I tried my best to backport these patches, added more patches so they can better be applied and added more patches. I did this down to sle15-sp3. Now I have the following adjusted patches:

0000-drm-fallback-to-drm-driver-name-va-driver-name.patch (additional)
0001-va-split-the-legacy-opendriver-to-separate-function.patch (additional)
0002-va-add-vaGetDriverNames-internal-ABI.patch
0003-drm-split-DisplayConnect-into-separate-function.patch (additional)
0004-drm-implement-vaGetDriverNames.patch
0007-android-implement-vaGetDriverNames.patch
0009-wayland-implement-vaGetDriverNames.patch
0015-x11-implement-vaGetDriverNames.patch
0022-va-don-t-leak-driver-names-when-override-is-set.patch
0023-va-add-missing-space-in-the-env.var-override-info-me.patch
0024-va-set-driver-number-to-be-zero-if-vaGetDriverNames-.patch
0040-va-backend-document-the-vaGetDriver-APIs.patch
0043-va-drop-no-longer-applicable-vaGetDriverNames-check.patch

Things are getting more and more difficult. With sle15-sp2 I'm no longer sure what I'm doing here. I'm pretty sure I will break things continuing if I didn't break things yet. And libva is even getting more older when going back to sle15-sp1 and sle12-sp5, sle12-sp3.

I suggest to give up on this approach and update on all distributions on a current libva version. Seriously.

Comment 11 Stefan Dirsch 2024-07-17 09:45:35 UTC

https://build.suse.de/project/show/home:sndirsch:branches:OBS_Maintained:libva

Comment 15 Stefan Dirsch 2024-07-17 14:03:27 UTC

I think that we only need updates for 

SUSE:SLE-12-SP5:Update
SUSE:SLE-15-SP2:Update
SUSE:SLE-15-SP4:Update
SUSE:SLE-15-SP5:Update

I verified, that I can get things building easily with the sources from SUSE_SLE-15-SP6_Update (libva 2.20.0).with these.

Comment 16 Stefan Dirsch 2024-07-18 11:51:46 UTC

So could you please open a JIRA ticket for this? Thanks!