Bugzilla – Bug 1226899
VUL-0: CVE-2023-22656: libmfx: out-of-bounds read
Last modified: 2024-07-02 14:53:07 UTC
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html CVEID: CVE-2023-22656 Description: Out-of-bounds read in Intel® Media SDK and some Intel® oneVPL software before version 23.3.5 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 3.9 Low CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
I already addressed this pro-actively in February for sle15-sp6 and Tumbleweed. ------------------------------------------------------------------- Mon Feb 5 09:07:36 UTC 2024 - Stefan Dirsch <sndirsch@suse.com> - disabled compiling samples, tools and tutorials, which are no longer packaged anyway ------------------------------------------------------------------- Sat Feb 3 18:29:23 UTC 2024 - Stefan Dirsch <sndirsch@suse.com> - only package hardware specific ibmfxhw64 (+ libmfx_<codec>_hw64 plugins) loaded during runtime by libvpl (boo#1219494) - drop -devel and -samples subpackages ------------------------------------------------------------------- Sat Feb 3 11:33:41 UTC 2024 - Stefan Dirsch <sndirsch@suse.com> - added hardware supplements, so it will be installed on GPUs which are not supported by libmfx-gen (boo#1219494) For older products I have no idea how to address that. Intel just tells us to switch to VPL, which means a lot of changes in other components, which we did for SP6 and TW, but probably can't do for older already existing products.