Bug 1226897 (CVE-2023-48368)

Summary: VUL-0: CVE-2023-48368: libmfx: improper input validation
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Stefan Dirsch <sndirsch>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, sndirsch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411947/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2024-06-24 12:49:30 UTC 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html

CVEID:  CVE-2023-48368

Description: Improper input validation in IntelĀ® Media SDK software all versions may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.9 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
Comment 1 Stefan Dirsch 2024-06-24 13:09:31 UTC 
I already addressed this pro-actively in February for sle15-sp6 and Tumbleweed.

-------------------------------------------------------------------
Mon Feb  5 09:07:36 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- disabled compiling samples, tools and tutorials, which are no 
  longer packaged anyway

-------------------------------------------------------------------
Sat Feb  3 18:29:23 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- only package hardware specific ibmfxhw64 (+ libmfx_<codec>_hw64
  plugins) loaded during runtime by libvpl (boo#1219494)
- drop -devel and -samples subpackages

-------------------------------------------------------------------
Sat Feb  3 11:33:41 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- added hardware supplements, so it will be installed on GPUs which
  are not supported by libmfx-gen (boo#1219494)

For older products I have no idea how to address that. Intel just tells us to switch to VPL, which means a lot of changes in other components, which we did for SP6 and TW, but probably can't do for older already existing products.
Comment 2 Alexander Bergmann 2024-06-24 15:27:11 UTC 
Would it be possible to do a version upgrade on the libmfx package for older code streams?
Comment 3 Stefan Dirsch 2024-06-25 11:04:33 UTC 
(In reply to Alexander Bergmann from comment #2)
> Would it be possible to do a version upgrade on the libmfx package for older
> code streams?

As far as I can see there is no update, which fixes the security issues.
Comment 4 Stefan Dirsch 2024-07-18 14:10:08 UTC 
To update to latest support for VA-API  (Intel Media SDK and oneVPL  is used for that) we would need to update the following packages:

libva 2.22.0 

intel-vaapi-driver 2.4.1

gmmlib 22.4.1
intel-media-driver 24.2.5

libmfx (intel-media-sdk) 23.2.2

libvpl 2.12.0

But this wouldn't fix the security issue with the Intel Media SDK aka libmfx, which we only addressed for SP6 and Tumbleweed. See my comment#1.