Bug 1226899 (CVE-2023-22656)

Summary: VUL-0: CVE-2023-22656: libmfx: out-of-bounds read
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Stefan Dirsch <sndirsch>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411949/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2024-06-24 12:49:42 UTC 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html

CVEID:  CVE-2023-22656

Description: Out-of-bounds read in IntelĀ® Media SDK and some IntelĀ® oneVPL software before version 23.3.5 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 3.9 Low

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Comment 1 Stefan Dirsch 2024-06-24 13:09:20 UTC 
I already addressed this pro-actively in February for sle15-sp6 and Tumbleweed.

-------------------------------------------------------------------
Mon Feb  5 09:07:36 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- disabled compiling samples, tools and tutorials, which are no 
  longer packaged anyway

-------------------------------------------------------------------
Sat Feb  3 18:29:23 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- only package hardware specific ibmfxhw64 (+ libmfx_<codec>_hw64
  plugins) loaded during runtime by libvpl (boo#1219494)
- drop -devel and -samples subpackages

-------------------------------------------------------------------
Sat Feb  3 11:33:41 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- added hardware supplements, so it will be installed on GPUs which
  are not supported by libmfx-gen (boo#1219494)

For older products I have no idea how to address that. Intel just tells us to switch to VPL, which means a lot of changes in other components, which we did for SP6 and TW, but probably can't do for older already existing products.