SUSE-SU-2025:1477-1: moderate: Security update for libva
SLE-SECURITY-UPDATES
null at suse.de
Wed May 7 12:31:51 UTC 2025
# Security update for libva
Announcement ID: SUSE-SU-2025:1477-1
Release Date: 2025-05-06T09:17:19Z
Rating: moderate
References:
* bsc#1202828
* bsc#1217770
* bsc#1224413
* jsc#PED-11066
* jsc#PED-1174
* jsc#PM-1623
* jsc#SLE-12712
* jsc#SLE-19361
* jsc#SLE-8838
Cross-References:
* CVE-2023-39929
CVSS scores:
* CVE-2023-39929 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products:
* SUSE Linux Enterprise High Performance Computing 12 SP5
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server 12 SP5 LTSS
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
An update that solves one vulnerability, contains six features and has two
security fixes can now be installed.
## Description:
This update for libva fixes the following issues:
Update to libva version 2.20.0, which includes security fix for:
* uncontrolled search path may allow an authenticated user to escalate
privilege via local access (CVE-2023-39929, bsc#1224413, jsc#PED-11066)
This includes latest version of one of the components needed for Video
(processing) hardware support on Intel GPUs (bsc#1217770)
Update to version 2.20.0:
* av1: Revise offsets comments for av1 encode
* drm:
* Limit the array size to avoid out of range
* Remove no longer used helpers
* jpeg: add support for crop and partial decode
* trace:
* Add trace for vaExportSurfaceHandle
* Unlock mutex before return
* Fix minor issue about printf data type and value range
* va/backend:
* Annotate vafool as deprecated
* Document the vaGetDriver* APIs
* va/x11/va_fglrx: Remove some dead code
* va/x11/va_nvctrl: Remove some dead code
* va:
* Add new VADecodeErrorType to indicate the reset happended in the driver
* Add vendor string on va_TraceInitialize
* Added Q416 fourcc (three-plane 16-bit YUV 4:4:4)
* Drop no longer applicable vaGetDriverNames check
* Fix:don't leak driver names, when override is set
* Fix:set driver number to be zero if vaGetDriverNames failed
* Optimize code of getting driver name for all protocols/os (wayland,x11,drm,win32,android)
* Remove legacy code paths
* Remove unreachable "DRIVER BUG"
* win32:
* Only print win32 driver messages in DEBUG builds
* Remove duplicate adapter_luid entry
* x11/dri2: limit the array handling to avoid out of range access
* x11:
* Allow disabling DRI3 via LIBVA_DRI3_DISABLE env var
* Implement vaGetDriverNames
* Remove legacy code paths
Update to 2.19.0:
* add: Add mono_chrome to VAEncSequenceParameterBufferAV1
* add: Enable support for license acquisition of multiple protected playbacks
* fix: use secure_getenv instead of getenv
* trace: Improve and add VA trace log for AV1 encode
* trace: Unify va log message, replace va_TracePrint with va_TraceMsg.
Update to version 2.18.0:
* doc: Add build and install libva informatio in home page.
* fix:
* Add libva.def into distribution package
* NULL check before calling strncmp.
* Remove reference to non-existent symbol
* meson: docs:
* Add encoder interface for av1
* Use libva_version over project_version()
* va:
* Add VAProfileH264High10
* Always build with va-messaging API
* Fix the codying style of CHECK_DISPLAY
* Remove Android pre Jelly Bean workarounds
* Remove dummy isValid() hook
* Remove unused drm_sarea.h include & ANDROID references in va_dricommon.h
* va/sysdeps.h: remove Android section
* x11:
* Allow disabling DRI3 via LIBVA_DRI3_DISABLe env var
* Use LIBVA_DRI3_DISABLE in GetNumCandidates
Update to 2.17.0:
* win: Simplify signature for driver name loading
* win: Rewrite driver registry query and fix some bugs/leaks/inefficiencies
* win: Add missing null check after calloc
* va: Update security disclaimer
* dep:remove the file .cvsignore
* pkgconfig: add 'with-legacy' for emgd, nvctrl and fglrx
* meson: add 'with-legacy' for emgd, nvctrl and fglrx
* x11: move all FGLRX code to va_fglrx.c
* x11: move all NVCTRL code to va_nvctrl.c
* meson: stop using deprecated meson.source_root()
* meson: stop using configure_file copy=true
* va: correctly include the win32 (local) headers
* win: clean-up the coding style
* va: dos2unix all the files
* drm: remove unnecessary dri2 version/extension query
* trace: annotate internal functions with DLL_HIDDEN
* build/sysdeps: Remove HAVE_GNUC_VISIBILITY_ATTRIBUTE and use _GNUC_ support
level attribute instead
* meson: Check support for -Wl,-version-script and build link_args accordingly
* meson: Set va_win32 soversion to '' and remove the install_data rename
* fix: resouce check null
* va_trace: Add Win32 memory types in va_TraceSurfaceAttributes
* va_trace: va_TraceSurfaceAttributes should check the
VASurfaceAttribMemoryType
* va: Adds Win32 Node and Windows build support
* va: Adds compat_win32 abstraction for Windows build and prepares va common
code for windows build
* pkgconfig: Add Win32 package for when WITH_WIN32 is enabled
* meson: Add with_win32 option, makes libdrm non-mandatory on Win
* x11: add basic DRI3 support
* drm: remove VA_DRM_IsRenderNodeFd() helper
* drm: add radeon drm + radeonsi mesa combo
Needed for jira#PED-1174 (Video decoding/encoding support (VA-API, ...) for
Intel GPUs is outside of Mesa)
update to 2.16.0:
* add: Add HierarchicalFlag & hierarchical_level_plus1 for AV1e.
* dep: Update README.md to remove badge links
* dep: Removed waffle-io badge from README to fix broken link
* dep: Drop mailing list, IRC and Slack
* autotools: use wayland-scanner private-code
* autotools: use the wayland-scanner.pc to locate the prog
* meson: use wayland-scanner private-code
* meson: request native wayland-scanner
* meson: use the wayland-scanner.pc to locate the prog
* meson: set HAVE_VA_X11 when applicable
* style:Correct slight coding style in several new commits
* trace: add Linux ftrace mode for va trace
* trace: Add missing pthread_mutex_destroy
* drm: remove no-longer needed X == X mappings
* drm: fallback to drm driver name == va driver name
* drm: simplify the mapping table
* x11: simplify the mapping table
Update to version 2.15.0 was part of Intel oneVPL GPU Runtime 2022Q2 Release
22.4.4
Update to 2.15.0:
* Add: new display HW attribute to report PCI ID
* Add: sample depth related parameters for AV1e
* Add: refresh_frame_flags for AV1e
* Add: missing fields in va_TraceVAEncSequenceParameterBufferHEVC.
* Add: nvidia-drm to the drm driver map
* Add: type and buffer for delta qp per block
* Deprecation: remove the va_fool support
* Fix:Correct the version of meson build on master branch
* Fix:X11 DRI2: check if device is a render node
* Build:Use also strong stack protection if supported
* Trace:print the string for profile/entrypoint/configattrib
Update to 2.14.0:
* add: Add av1 encode interfaces
* add: VA/X11 VAAPI driver mapping for crocus DRI driver
* doc: Add description of the fd management for surface importing
* ci: fix freebsd build
* meson: Copy public headers to build directory to support subproject
Update to 2.13.0:
* add new surface format fourcc XYUV
* Fix av1 dec doc page link issue
* unify the code styles using the style_unify script
* Check the function pointer before using (fixes github issue#536)
* update NEWS for 2.13.0
update to 2.12.0:
* add: Report the capability of vaCopy support
* add: Report the capability of sub device
* add: Add config attributes to advertise HEVC/H.265 encoder features
* add: Video processing HVS Denoise: Added 4 modes
* add: Introduce VASurfaceAttribDRMFormatModifiers
* add: Add 3DLUT Filter in Video Processing.
* doc: Update log2_tile_column description for vp9enc
* trace: Correct av1 film grain trace information
* ci: Fix freebsd build by switching to vmactions/freebsd-vm at v0.1.3
update to 2.11.0:
* add: LibVA Protected Content API
* add: Add a configuration attribute to advertise AV1d LST feature
* fix: wayland: don't try to authenticate with render nodes
* autotools: use shell grouping instead of sed to prepend a line
* trace: Add details data dump for mpeg2 IQ matrix.
* doc: update docs for VASurfaceAttribPixelFormat
* doc: Libva documentation edit for AV1 reference frames
* doc: Modify AV1 frame_width_minus1 and frame_height_minus1 comment
* doc: Remove tile_rows and tile_cols restriction to match AV1 spec
* doc: Format code for doxygen output
* doc: AV1 decode documentation edit for superres_scale_denominator
* ci: upgrade FreeBSD to 12.2
* ci: disable travis build
* ci: update cache before attempting to install packages
* ci: avoid running workloads on other workloads changes
* ci: enable github actions
update to 2.10.0:
* add: Pass offset and size of pred_weight_table
* add: add vaCopy interface to copy surface and buffer
* add: add definition for different execution
* add: New parameters for transport controlled BRC were added
* add: add FreeBSD support
* add: add a bufer type to adjust context priority dynamically
* fix: correct the api version in meson.build
* fix: remove deprecated variable from va_trace.c
* fix: Use va_deprecated for the deprecate variable
* fix: Mark chroma_sample_position as deprecated
* doc: va_dec_av1: clarifies CDEF syntax element packing
* doc: [AV1] Update documented ranges for loop filter and quantization params.
* doc: Update va.h for multi-threaded usages
* trace: va/va_trace: ignore system gettid() on Linux
Update to 2.9.1:
* fix version mismatch between meson and autotools
Update to 2.9.0:
* trace: Refine the va_TraceVAPictureParameterBufferAV1.
* doc: Add comments for backward/forward reference to avoid confusion
* doc: Modify comments in av1 decoder interfaces
* doc: Update mailing list
* Add SCC fields trace for HEVC SCC encoding.
* Add FOURCC code for Y212 and Y412 format.
* Add interpolation method for scaling.
* add attributes for context priority setting
* Add vaSyncBuffer for output buffers synchronization
* Add vaSyncSurface2 with timeout
Update to 2.8.0:
* trace: enable return value trace for successful function call
* trace: divide va_TraceEndPicture to two seperate function
* trace: add support for VAProfileHEVCSccMain444_10
* fix:Fixes file descriptor leak
* add fourcc code for P012 format
* travis: Add a test that code files don't have the exec bit set
* Remove the execute bit from all source code files
* meson: Allow for libdir and includedir to be absolute paths
* trace: Fix format string warnings
* fix:Fix clang warning (reading garbage)
* add definition to enforce both reflist not empty
* trace: List correct field names in va_TraceVAPictureParameterBufferHEVC
* change the return value to be UNIMPLEMENTED when the function pointer is
NULL
* remove check of vaPutSurface implementation
* Add new slice structure flag for CAPS reporting
* VA/X11: VAAPI driver mapping for iris DRI driver
* VA/X11: enable driver candidate selection for DRI2
* Add SCC flags to enable/disable features
* fix: Fix HDR10 MaxCLL and MaxFALL documentation
* Add VAProfileHEVCSccMain444_10 for HEVC
* change the compatible list to be dynamic one
* trace:Convert VAProfileAV1Profile0 VAProfileAV1Profile1 to string
Update to version 2.7.0:
* trace: av1 decode buffers trace
* trace: Add HEVC REXT and SCC trace for decoding.
* Add av1 decode interfaces
* Fix crashes on system without supported hardware by PR #369.
* Add 2 FourCC for 10bit RGB(without Alpha) format: X2R10G10B10 and
X2B10G10R10.
* Fix android build issue #365 and remove some trailing whitespace
* Adjust call sequence to ensure authenticate operation is executed to fix
#355
Update to version 2.6.1:
* adjust call sequence to ensure authenticate operation is executed this patch
is not needed for media-driver, but needed for i965 driver which check
authentication.
Update to version 2.6.0:
* enable the mutiple driver selection logic and enable it for DRM.
* drm: Add iHD to driver_name_map
* Add missed slice parameter 'slice_data_num_emu_prevn_bytes'
* ensure that all meson files are part of the release tarball
* configure: use correct comparison operator
* trace: support VAConfigAttribMultipleFrame in trace
* remove incorrect field of VAConfigAttribValDecJPEG
* va/va_trace: Dump VP9 parameters for profile 1~3
* add multiple frame capability report
* add variable to indicate layer infromation
* trace: fix memory leak on closing the trace
* add prediction direction caps report
* Add comments for colour primaries and transfer characteristics in
VAProcColorProperties
This release is needed for latest intel-media-driver update (jsc#SLE-8838)
Update to version 2.5.0:
* Correct the comment of color_range.
* Add VA_FOURCC_A2B10G10R10 for format a2b10g10r10.
* Adjust VAEncMiscParameterQuantization structure to be align with
VAEncMiscParameterBuffer(possible to impact BC)
* Add attribute for max frame size
* Add va_footer.html into distribution build
* va_trace: hevc profiles added
* Add new definition for input/output surface flag
* va/va_trace: add trace support for VAEncMiscParameterTypeSkipFrame
structure.
* va/va_trace: add MPEG2 trace support for MiscParam and SequenceParam
* va_openDriver: check strdup return value
* Mark some duplicated field as deprecated
* Add return value into logs
* va/va_trace: add trace support for VAEncMiscParameterEncQuality structure.
* Add newformat foucc defination
* va_backend: remove unneeded linux/videodev2.h include
* va_trace: add missing <sys/time.h> include
* configure: don't build glx if VA/X11 isn't built
* va/va_trace: unbreak with C89 after b369467
* [common] Add A2RGB10 fourcc definition
* build: meson: enables va messaging and visibility
* va/va_trace: add trace support for RIR(rolling intra refresh).
* va/va_trace: add trace support for ROI(region of interest)
Update to version 2.4.1:
* [common] Add A2RGB10 fourcc definition.
* build: meson: enables va messaging and visibility.
* va/va_trace:
* Add trace support for RIR(rolling intra refresh).
* Add trace support for ROI(region of interest).
Update to version 2.4.0:
* va_TraceSurface support for VA_FOURCC_P010
* Add pointer to struct wl_interface for driver to use
* (integrate) va: fix new line symbol in error message
* av: avoid driver path truncation
* Fix compilation warning (uninit and wrong variable types) for Android O MR1
* Allow import of the DRM PRIME 2 memory type
* android: ignore unimportant compile warnnings
* compile: fix sign/unsign compare in va_trace.c
* android: replace utils/Log.h with log/log.h
* High Dynamic Range Tone Mapping: Add a new filter for input metadata and
some comments
* Remove restrictions on vaSetDriverName()
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 12 SP5 LTSS
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-1477=1
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-1477=1
## Package List:
* SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
* libva-x11-2-debuginfo-2.20.0-3.3.4
* libva-drm2-debuginfo-2.20.0-3.3.4
* libva2-2.20.0-3.3.4
* libva-devel-2.20.0-3.3.4
* libva-drm2-2.20.0-3.3.4
* libva2-debuginfo-2.20.0-3.3.4
* libva-x11-2-2.20.0-3.3.4
* libva-debugsource-2.20.0-3.3.4
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
* libva-x11-2-debuginfo-2.20.0-3.3.4
* libva-drm2-debuginfo-2.20.0-3.3.4
* libva2-2.20.0-3.3.4
* libva-devel-2.20.0-3.3.4
* libva-drm2-2.20.0-3.3.4
* libva2-debuginfo-2.20.0-3.3.4
* libva-x11-2-2.20.0-3.3.4
* libva-debugsource-2.20.0-3.3.4
## References:
* https://www.suse.com/security/cve/CVE-2023-39929.html
* https://bugzilla.suse.com/show_bug.cgi?id=1202828
* https://bugzilla.suse.com/show_bug.cgi?id=1217770
* https://bugzilla.suse.com/show_bug.cgi?id=1224413
* https://jira.suse.com/browse/PED-11066
* https://jira.suse.com/browse/PED-1174
* https://jira.suse.com/browse/PM-1623
* https://jira.suse.com/browse/SLE-12712
* https://jira.suse.com/browse/SLE-19361
* https://jira.suse.com/browse/SLE-8838
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250507/45b82bba/attachment.htm>
More information about the sle-security-updates
mailing list