Path to this page:
Subject: CVS commit: pkgsrc/multimedia/libvdpau
From: Adam Ciarcinski
Date: 2017-01-23 19:20:59
Message id: 20170123182059.5E768FBA6@cvs.NetBSD.org
Log Message:
Changes 1.1.1:
Use secure_getenv(3) to improve security
This patch is in response to the following security vulnerabilities
(CVEs) reported to NVIDIA against libvdpau:
CVE-2015-5198
CVE-2015-5199
CVE-2015-5200
To address these CVEs, this patch:
- replaces all uses of getenv(3) with secure_getenv(3);
- uses secure_getenv(3) when available, with a fallback option;
- protects VDPAU_DRIVER against directory traversal by checking for '/'
On platforms where secure_getenv(3) is not available, the C preprocessor
will print a warning at compile time. Then, a preprocessor macro will
replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
getuid() == geteuid() && getgid() == getegid()
See getuid(2) and getgid(2) for further details.
Files: