- 31 Aug, 2015 1 commit
-
-
José Hiram Soltren authored
This patch is in response to the following security vulnerabilities (CVEs) reported to NVIDIA against libvdpau: CVE-2015-5198 CVE-2015-5199 CVE-2015-5200 To address these CVEs, this patch: - replaces all uses of getenv(3) with secure_getenv(3); - uses secure_getenv(3) when available, with a fallback option; - protects VDPAU_DRIVER against directory traversal by checking for '/' On platforms where secure_getenv(3) is not available, the C preprocessor will print a warning at compile time. Then, a preprocessor macro will replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check: getuid() == geteuid() && getgid() == getegid() See getuid(2) and getgid(2) for further details. Signed-off-by:
Aaron Plattner <aplattner@nvidia.com> Reviewed-by:
Florian Weimer <fweimer@redhat.com>
-
