Main Vulnerability Database SB2015091104

SB2015091104 - Path traversal in libvdpau (Alpine package)

Published: September 11, 2015

Security Bulletin ID SB2015091104

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2015-5199)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in dlopen in libvdpau before 1.1.1. A remote authenticated attacker can send a specially crafted HTTP request and local users to gain privileges via the VDPAU_DRIVER environment variable.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=58c926355306673e726679d93b0e0c5b5a3df3c2
https://git.alpinelinux.org/aports/commit/?id=7b46352576c9f78aff928e671a222f2f7fe4da1d
https://git.alpinelinux.org/aports/commit/?id=f910f5627d6d0cef2b970fee2424e5f010cc9629