1226897 – (CVE-2023-48368) VUL-0: CVE-2023-48368: libmfx: improper input validation

Bug 1226897 (CVE-2023-48368) - VUL-0: CVE-2023-48368: libmfx: improper input validation

Summary: VUL-0: CVE-2023-48368: libmfx: improper input validation

Status:	IN_PROGRESS

Alias:	CVE-2023-48368

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Stefan Dirsch
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/411947/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-24 12:49 UTC by Alexander Bergmann
Modified:	2024-07-18 14:10 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2024-06-24 12:49:30 UTC

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html

CVEID:  CVE-2023-48368

Description: Improper input validation in Intel® Media SDK software all versions may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.9 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

Comment 1 Stefan Dirsch 2024-06-24 13:09:31 UTC

I already addressed this pro-actively in February for sle15-sp6 and Tumbleweed.

-------------------------------------------------------------------
Mon Feb  5 09:07:36 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- disabled compiling samples, tools and tutorials, which are no 
  longer packaged anyway

-------------------------------------------------------------------
Sat Feb  3 18:29:23 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- only package hardware specific ibmfxhw64 (+ libmfx_<codec>_hw64
  plugins) loaded during runtime by libvpl (boo#1219494)
- drop -devel and -samples subpackages

-------------------------------------------------------------------
Sat Feb  3 11:33:41 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

- added hardware supplements, so it will be installed on GPUs which
  are not supported by libmfx-gen (boo#1219494)

For older products I have no idea how to address that. Intel just tells us to switch to VPL, which means a lot of changes in other components, which we did for SP6 and TW, but probably can't do for older already existing products.

Comment 2 Alexander Bergmann 2024-06-24 15:27:11 UTC

Would it be possible to do a version upgrade on the libmfx package for older code streams?

Comment 3 Stefan Dirsch 2024-06-25 11:04:33 UTC

(In reply to Alexander Bergmann from comment #2)
> Would it be possible to do a version upgrade on the libmfx package for older
> code streams?

As far as I can see there is no update, which fixes the security issues.

Comment 4 Stefan Dirsch 2024-07-18 14:10:08 UTC

To update to latest support for VA-API  (Intel Media SDK and oneVPL  is used for that) we would need to update the following packages:

libva 2.22.0 

intel-vaapi-driver 2.4.1

gmmlib 22.4.1
intel-media-driver 24.2.5

libmfx (intel-media-sdk) 23.2.2

libvpl 2.12.0

But this wouldn't fix the security issue with the Intel Media SDK aka libmfx, which we only addressed for SP6 and Tumbleweed. See my comment#1.