Bugzilla – Bug 1224413
VUL-0: CVE-2023-39929: libva: uncontrolled search path may allow an authenticated user to escalate privilege via local access
Last modified: 2024-07-18 11:51:46 UTC
Uncontrolled search path in some Libva software maintained by Intel(R) before version 2.20.0 may allow an authenticated user to potentially enable escalation of privilege via local access. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39929 https://www.cve.org/CVERecord?id=CVE-2023-39929 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01012.html
Are there already patches available?
(In reply to Stefan Dirsch from comment #1) > Are there already patches available? Nothing given by Intel as far as I can tell. I guess it's something in between 2.19 and 2.20: https://github.com/intel/libva/compare/2.19.0...2.20.0
(In reply to SMASH SMASH from comment #0) > Uncontrolled search path in some Libva software maintained by Intel(R) > before version 2.20.0 (...) We have: - SUSE:SLE-12-SP3:Update/libva 1.7.3 - SUSE:SLE-12-SP5:Update/libva 2.3.0 - SUSE:SLE-15:Update/libva 2.0.0 - SUSE:SLE-15-SP1:Update/libva 2.3.0 - SUSE:SLE-15-SP4:Update/libva 2.13.0 - SUSE:SLE-15-SP2:Update/libva 2.5.0 - SUSE:SLE-15-SP5:Update/libva 2.16.0 - SUSE:SLE-15-SP3:Update/libva 2.10.0 - SUSE:SLE-15-SP6:Update/libva 2.20.0 - SUSE:ALP:Source:Standard:1.0/libva 2.20.0 - SUSE:SLFO:Main/libva 2.20.0
Tracking: - SUSE:SLE-12-SP3:Update/libva Affected - SUSE:SLE-12-SP5:Update/libva Affected - SUSE:SLE-15:Update/libva Affected (reactive support only) - SUSE:SLE-15-SP1:Update/libva Affected (reactive support only) - SUSE:SLE-15-SP4:Update/libva Affected - SUSE:SLE-15-SP2:Update/libva Affected (LTSS only) - SUSE:SLE-15-SP3:Update/libva Affected (LTSS only) - SUSE:SLE-15-SP5:Update/libva Affected - SUSE:SLE-15-SP6:Update/libva Already fixed - SUSE:ALP:Source:Standard:1.0/libva Already fixed - SUSE:SLFO:Main/libva Already fixed
(In reply to Carlos López from comment #2) > (In reply to Stefan Dirsch from comment #1) > > Are there already patches available? > > Nothing given by Intel as far as I can tell. I guess it's something in > between 2.19 and 2.20: > https://github.com/intel/libva/compare/2.19.0...2.20.0 Probably some of the hunks related to vaGetDriverNames (...). I need the precise git commits to backport it.
@Carlos ping!
@Carlos Hello? ping!
So I tried my best to backport these patches, added more patches so they can better be applied and added more patches. I did this down to sle15-sp3. Now I have the following adjusted patches: 0000-drm-fallback-to-drm-driver-name-va-driver-name.patch (additional) 0001-va-split-the-legacy-opendriver-to-separate-function.patch (additional) 0002-va-add-vaGetDriverNames-internal-ABI.patch 0003-drm-split-DisplayConnect-into-separate-function.patch (additional) 0004-drm-implement-vaGetDriverNames.patch 0007-android-implement-vaGetDriverNames.patch 0009-wayland-implement-vaGetDriverNames.patch 0015-x11-implement-vaGetDriverNames.patch 0022-va-don-t-leak-driver-names-when-override-is-set.patch 0023-va-add-missing-space-in-the-env.var-override-info-me.patch 0024-va-set-driver-number-to-be-zero-if-vaGetDriverNames-.patch 0040-va-backend-document-the-vaGetDriver-APIs.patch 0043-va-drop-no-longer-applicable-vaGetDriverNames-check.patch Things are getting more and more difficult. With sle15-sp2 I'm no longer sure what I'm doing here. I'm pretty sure I will break things continuing if I didn't break things yet. And libva is even getting more older when going back to sle15-sp1 and sle12-sp5, sle12-sp3. I suggest to give up on this approach and update on all distributions on a current libva version. Seriously.
https://build.suse.de/project/show/home:sndirsch:branches:OBS_Maintained:libva
I think that we only need updates for SUSE:SLE-12-SP5:Update SUSE:SLE-15-SP2:Update SUSE:SLE-15-SP4:Update SUSE:SLE-15-SP5:Update I verified, that I can get things building easily with the sources from SUSE_SLE-15-SP6_Update (libva 2.20.0).with these.
So could you please open a JIRA ticket for this? Thanks!