<div class="container">
<h1>Security update for libva</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:1477-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-05-06T09:17:19Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1202828">bsc#1202828</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217770">bsc#1217770</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224413">bsc#1224413</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-11066">jsc#PED-11066</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-1174">jsc#PED-1174</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PM-1623">jsc#PM-1623</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/SLE-12712">jsc#SLE-12712</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/SLE-19361">jsc#SLE-19361</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/SLE-8838">jsc#SLE-8838</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-39929.html">CVE-2023-39929</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-39929</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.7</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 12 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability, contains six features and has two security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for libva fixes the following issues:</p>
<p>Update to libva version 2.20.0, which includes security fix for:</p>
<ul>
<li>uncontrolled search path may allow an authenticated user to
escalate privilege via local access (CVE-2023-39929,
bsc#1224413, jsc#PED-11066)</li>
</ul>
<p>This includes latest version of one of the components needed for Video
(processing) hardware support on Intel GPUs (bsc#1217770)</p>
<p>Update to version 2.20.0:</p>
<ul>
<li>av1: Revise offsets comments for av1 encode</li>
<li>drm:<ul>
<li>Limit the array size to avoid out of range</li>
<li>Remove no longer used helpers</li>
</ul>
</li>
<li>jpeg: add support for crop and partial decode</li>
<li>trace:<ul>
<li>Add trace for vaExportSurfaceHandle</li>
<li>Unlock mutex before return</li>
<li>Fix minor issue about printf data type and value range</li>
</ul>
</li>
<li>va/backend:<ul>
<li>Annotate vafool as deprecated</li>
<li>Document the vaGetDriver* APIs</li>
</ul>
</li>
<li>va/x11/va_fglrx: Remove some dead code</li>
<li>va/x11/va_nvctrl: Remove some dead code</li>
<li>va:<ul>
<li>Add new VADecodeErrorType to indicate the reset happended in
the driver</li>
<li>Add vendor string on va_TraceInitialize</li>
<li>Added Q416 fourcc (three-plane 16-bit YUV 4:4:4)</li>
<li>Drop no longer applicable vaGetDriverNames check</li>
<li>Fix:don't leak driver names, when override is set</li>
<li>Fix:set driver number to be zero if vaGetDriverNames failed</li>
<li>Optimize code of getting driver name for all protocols/os
(wayland,x11,drm,win32,android)</li>
<li>Remove legacy code paths</li>
<li>Remove unreachable "DRIVER BUG"</li>
</ul>
</li>
<li>win32:<ul>
<li>Only print win32 driver messages in DEBUG builds</li>
<li>Remove duplicate adapter_luid entry</li>
</ul>
</li>
<li>x11/dri2: limit the array handling to avoid out of range access</li>
<li>x11:<ul>
<li>Allow disabling DRI3 via LIBVA_DRI3_DISABLE env var</li>
<li>Implement vaGetDriverNames</li>
<li>Remove legacy code paths</li>
</ul>
</li>
</ul>
<p>Update to 2.19.0:</p>
<ul>
<li>add: Add mono_chrome to VAEncSequenceParameterBufferAV1</li>
<li>add: Enable support for license acquisition of multiple protected
playbacks</li>
<li>fix: use secure_getenv instead of getenv</li>
<li>trace: Improve and add VA trace log for AV1 encode</li>
<li>trace: Unify va log message, replace va_TracePrint with va_TraceMsg.</li>
</ul>
<p>Update to version 2.18.0:</p>
<ul>
<li>doc: Add build and install libva informatio in home page.</li>
<li>fix:<ul>
<li>Add libva.def into distribution package</li>
<li>NULL check before calling strncmp.</li>
<li>Remove reference to non-existent symbol</li>
</ul>
</li>
<li>meson: docs:<ul>
<li>Add encoder interface for av1</li>
<li>Use libva_version over project_version()</li>
</ul>
</li>
<li>va:<ul>
<li>Add VAProfileH264High10</li>
<li>Always build with va-messaging API</li>
<li>Fix the codying style of CHECK_DISPLAY</li>
<li>Remove Android pre Jelly Bean workarounds</li>
<li>Remove dummy isValid() hook</li>
<li>Remove unused drm_sarea.h include & ANDROID references in
va_dricommon.h</li>
<li>va/sysdeps.h: remove Android section</li>
</ul>
</li>
<li>x11:<ul>
<li>Allow disabling DRI3 via LIBVA_DRI3_DISABLe env var</li>
<li>Use LIBVA_DRI3_DISABLE in GetNumCandidates</li>
</ul>
</li>
</ul>
<p>Update to 2.17.0:</p>
<ul>
<li>win: Simplify signature for driver name loading</li>
<li>win: Rewrite driver registry query and fix some
bugs/leaks/inefficiencies</li>
<li>win: Add missing null check after calloc</li>
<li>va: Update security disclaimer</li>
<li>dep:remove the file .cvsignore</li>
<li>pkgconfig: add 'with-legacy' for emgd, nvctrl and fglrx</li>
<li>meson: add 'with-legacy' for emgd, nvctrl and fglrx</li>
<li>x11: move all FGLRX code to va_fglrx.c</li>
<li>x11: move all NVCTRL code to va_nvctrl.c</li>
<li>meson: stop using deprecated meson.source_root()</li>
<li>meson: stop using configure_file copy=true</li>
<li>va: correctly include the win32 (local) headers</li>
<li>win: clean-up the coding style</li>
<li>va: dos2unix all the files</li>
<li>drm: remove unnecessary dri2 version/extension query</li>
<li>trace: annotate internal functions with DLL_HIDDEN</li>
<li>build/sysdeps: Remove HAVE_GNUC_VISIBILITY_ATTRIBUTE and use <em>GNUC</em>
support level attribute instead</li>
<li>meson: Check support for -Wl,-version-script and build link_args
accordingly</li>
<li>meson: Set va_win32 soversion to '' and remove the install_data rename</li>
<li>fix: resouce check null</li>
<li>va_trace: Add Win32 memory types in va_TraceSurfaceAttributes</li>
<li>va_trace: va_TraceSurfaceAttributes should check the
VASurfaceAttribMemoryType</li>
<li>va: Adds Win32 Node and Windows build support</li>
<li>va: Adds compat_win32 abstraction for Windows build and prepares va
common code for windows build</li>
<li>pkgconfig: Add Win32 package for when WITH_WIN32 is enabled</li>
<li>meson: Add with_win32 option, makes libdrm non-mandatory on Win</li>
<li>x11: add basic DRI3 support</li>
<li>drm: remove VA_DRM_IsRenderNodeFd() helper</li>
<li>drm: add radeon drm + radeonsi mesa combo</li>
</ul>
<p>Needed for jira#PED-1174 (Video decoding/encoding support (VA-API,
...) for Intel GPUs is outside of Mesa)</p>
<p>update to 2.16.0:</p>
<ul>
<li>add: Add HierarchicalFlag & hierarchical_level_plus1 for AV1e.</li>
<li>dep: Update README.md to remove badge links</li>
<li>dep: Removed waffle-io badge from README to fix broken link</li>
<li>dep: Drop mailing list, IRC and Slack</li>
<li>autotools: use wayland-scanner private-code</li>
<li>autotools: use the wayland-scanner.pc to locate the prog</li>
<li>meson: use wayland-scanner private-code</li>
<li>meson: request native wayland-scanner</li>
<li>meson: use the wayland-scanner.pc to locate the prog</li>
<li>meson: set HAVE_VA_X11 when applicable</li>
<li>style:Correct slight coding style in several new commits</li>
<li>trace: add Linux ftrace mode for va trace</li>
<li>trace: Add missing pthread_mutex_destroy</li>
<li>drm: remove no-longer needed X == X mappings</li>
<li>drm: fallback to drm driver name == va driver name</li>
<li>drm: simplify the mapping table</li>
<li>x11: simplify the mapping table</li>
</ul>
<p>Update to version 2.15.0 was part of Intel oneVPL GPU Runtime 2022Q2
Release 22.4.4</p>
<p>Update to 2.15.0:</p>
<ul>
<li>Add: new display HW attribute to report PCI ID</li>
<li>Add: sample depth related parameters for AV1e</li>
<li>Add: refresh_frame_flags for AV1e</li>
<li>Add: missing fields in va_TraceVAEncSequenceParameterBufferHEVC.</li>
<li>Add: nvidia-drm to the drm driver map</li>
<li>Add: type and buffer for delta qp per block</li>
<li>Deprecation: remove the va_fool support</li>
<li>Fix:Correct the version of meson build on master branch</li>
<li>Fix:X11 DRI2: check if device is a render node</li>
<li>Build:Use also strong stack protection if supported</li>
<li>Trace:print the string for profile/entrypoint/configattrib</li>
</ul>
<p>Update to 2.14.0:</p>
<ul>
<li>add: Add av1 encode interfaces</li>
<li>add: VA/X11 VAAPI driver mapping for crocus DRI driver</li>
<li>doc: Add description of the fd management for surface importing</li>
<li>ci: fix freebsd build</li>
<li>meson: Copy public headers to build directory to support subproject</li>
</ul>
<p>Update to 2.13.0:</p>
<ul>
<li>add new surface format fourcc XYUV</li>
<li>Fix av1 dec doc page link issue</li>
<li>unify the code styles using the style_unify script</li>
<li>Check the function pointer before using (fixes github issue#536)</li>
<li>update NEWS for 2.13.0</li>
</ul>
<p>update to 2.12.0:</p>
<ul>
<li>add: Report the capability of vaCopy support</li>
<li>add: Report the capability of sub device</li>
<li>add: Add config attributes to advertise HEVC/H.265 encoder features</li>
<li>add: Video processing HVS Denoise: Added 4 modes</li>
<li>add: Introduce VASurfaceAttribDRMFormatModifiers</li>
<li>add: Add 3DLUT Filter in Video Processing.</li>
<li>doc: Update log2_tile_column description for vp9enc</li>
<li>trace: Correct av1 film grain trace information</li>
<li>ci: Fix freebsd build by switching to vmactions/freebsd-vm@v0.1.3</li>
</ul>
<p>update to 2.11.0:</p>
<ul>
<li>add: LibVA Protected Content API</li>
<li>add: Add a configuration attribute to advertise AV1d LST feature</li>
<li>fix: wayland: don't try to authenticate with render nodes</li>
<li>autotools: use shell grouping instead of sed to prepend a line</li>
<li>trace: Add details data dump for mpeg2 IQ matrix.</li>
<li>doc: update docs for VASurfaceAttribPixelFormat</li>
<li>doc: Libva documentation edit for AV1 reference frames</li>
<li>doc: Modify AV1 frame_width_minus1 and frame_height_minus1 comment</li>
<li>doc: Remove tile_rows and tile_cols restriction to match AV1 spec</li>
<li>doc: Format code for doxygen output</li>
<li>doc: AV1 decode documentation edit for superres_scale_denominator</li>
<li>ci: upgrade FreeBSD to 12.2</li>
<li>ci: disable travis build</li>
<li>ci: update cache before attempting to install packages</li>
<li>ci: avoid running workloads on other workloads changes</li>
<li>ci: enable github actions </li>
</ul>
<p>update to 2.10.0:</p>
<ul>
<li>add: Pass offset and size of pred_weight_table</li>
<li>add: add vaCopy interface to copy surface and buffer</li>
<li>add: add definition for different execution</li>
<li>add: New parameters for transport controlled BRC were added</li>
<li>add: add FreeBSD support</li>
<li>add: add a bufer type to adjust context priority dynamically</li>
<li>fix: correct the api version in meson.build</li>
<li>fix: remove deprecated variable from va_trace.c</li>
<li>fix: Use va_deprecated for the deprecate variable</li>
<li>fix: Mark chroma_sample_position as deprecated</li>
<li>doc: va_dec_av1: clarifies CDEF syntax element packing</li>
<li>doc: [AV1] Update documented ranges for loop filter and quantization params.</li>
<li>doc: Update va.h for multi-threaded usages</li>
<li>trace: va/va_trace: ignore system gettid() on Linux</li>
</ul>
<p>Update to 2.9.1:</p>
<ul>
<li>fix version mismatch between meson and autotools </li>
</ul>
<p>Update to 2.9.0:</p>
<ul>
<li>trace: Refine the va_TraceVAPictureParameterBufferAV1.</li>
<li>doc: Add comments for backward/forward reference to avoid confusion</li>
<li>doc: Modify comments in av1 decoder interfaces</li>
<li>doc: Update mailing list</li>
<li>Add SCC fields trace for HEVC SCC encoding.</li>
<li>Add FOURCC code for Y212 and Y412 format.</li>
<li>Add interpolation method for scaling.</li>
<li>add attributes for context priority setting</li>
<li>Add vaSyncBuffer for output buffers synchronization</li>
<li>Add vaSyncSurface2 with timeout</li>
</ul>
<p>Update to 2.8.0:</p>
<ul>
<li>trace: enable return value trace for successful function call</li>
<li>trace: divide va_TraceEndPicture to two seperate function</li>
<li>trace: add support for VAProfileHEVCSccMain444_10</li>
<li>fix:Fixes file descriptor leak</li>
<li>add fourcc code for P012 format</li>
<li>travis: Add a test that code files don't have the exec bit set</li>
<li>Remove the execute bit from all source code files</li>
<li>meson: Allow for libdir and includedir to be absolute paths</li>
<li>trace: Fix format string warnings</li>
<li>fix:Fix clang warning (reading garbage)</li>
<li>add definition to enforce both reflist not empty</li>
<li>trace: List correct field names in va_TraceVAPictureParameterBufferHEVC</li>
<li>change the return value to be UNIMPLEMENTED when the function pointer is NULL</li>
<li>remove check of vaPutSurface implementation</li>
<li>Add new slice structure flag for CAPS reporting</li>
<li>VA/X11: VAAPI driver mapping for iris DRI driver</li>
<li>VA/X11: enable driver candidate selection for DRI2</li>
<li>Add SCC flags to enable/disable features</li>
<li>fix: Fix HDR10 MaxCLL and MaxFALL documentation</li>
<li>Add VAProfileHEVCSccMain444_10 for HEVC</li>
<li>change the compatible list to be dynamic one</li>
<li>trace:Convert VAProfileAV1Profile0 VAProfileAV1Profile1 to string</li>
</ul>
<p>Update to version 2.7.0:</p>
<ul>
<li>trace: av1 decode buffers trace</li>
<li>trace: Add HEVC REXT and SCC trace for decoding.</li>
<li>Add av1 decode interfaces</li>
<li>Fix crashes on system without supported hardware by PR #369.</li>
<li>Add 2 FourCC for 10bit RGB(without Alpha) format: X2R10G10B10
and X2B10G10R10.</li>
<li>Fix android build issue #365 and remove some trailing
whitespace</li>
<li>Adjust call sequence to ensure authenticate operation is
executed to fix #355</li>
</ul>
<p>Update to version 2.6.1:</p>
<ul>
<li>adjust call sequence to ensure authenticate operation is
executed this patch is not needed for media-driver, but
needed for i965 driver which check authentication. </li>
</ul>
<p>Update to version 2.6.0:</p>
<ul>
<li>enable the mutiple driver selection logic and enable it for DRM.</li>
<li>drm: Add iHD to driver_name_map</li>
<li>Add missed slice parameter 'slice_data_num_emu_prevn_bytes'</li>
<li>ensure that all meson files are part of the release tarball</li>
<li>configure: use correct comparison operator</li>
<li>trace: support VAConfigAttribMultipleFrame in trace</li>
<li>remove incorrect field of VAConfigAttribValDecJPEG</li>
<li>va/va_trace: Dump VP9 parameters for profile 1~3</li>
<li>add multiple frame capability report</li>
<li>add variable to indicate layer infromation</li>
<li>trace: fix memory leak on closing the trace</li>
<li>add prediction direction caps report</li>
<li>Add comments for colour primaries and transfer characteristics in VAProcColorProperties</li>
</ul>
<p>This release is needed for latest intel-media-driver update (jsc#SLE-8838)</p>
<p>Update to version 2.5.0:</p>
<ul>
<li>Correct the comment of color_range.</li>
<li>Add VA_FOURCC_A2B10G10R10 for format a2b10g10r10.</li>
<li>Adjust VAEncMiscParameterQuantization structure to be align with VAEncMiscParameterBuffer(possible to impact BC)</li>
<li>Add attribute for max frame size</li>
<li>Add va_footer.html into distribution build</li>
<li>va_trace: hevc profiles added</li>
<li>Add new definition for input/output surface flag</li>
<li>va/va_trace: add trace support for VAEncMiscParameterTypeSkipFrame structure.</li>
<li>va/va_trace: add MPEG2 trace support for MiscParam and SequenceParam</li>
<li>va_openDriver: check strdup return value</li>
<li>Mark some duplicated field as deprecated</li>
<li>Add return value into logs</li>
<li>va/va_trace: add trace support for VAEncMiscParameterEncQuality structure.</li>
<li>Add newformat foucc defination</li>
<li>va_backend: remove unneeded linux/videodev2.h include</li>
<li>va_trace: add missing <sys/time.h> include</li>
<li>configure: don't build glx if VA/X11 isn't built</li>
<li>va/va_trace: unbreak with C89 after b369467</li>
<li>[common] Add A2RGB10 fourcc definition</li>
<li>build: meson: enables va messaging and visibility</li>
<li>va/va_trace: add trace support for RIR(rolling intra refresh).</li>
<li>va/va_trace: add trace support for ROI(region of interest)</li>
</ul>
<p>Update to version 2.4.1:</p>
<ul>
<li>[common] Add A2RGB10 fourcc definition.</li>
<li>build: meson: enables va messaging and visibility.</li>
<li>va/va_trace:<ul>
<li>Add trace support for RIR(rolling intra refresh).</li>
<li>Add trace support for ROI(region of interest).</li>
</ul>
</li>
</ul>
<p>Update to version 2.4.0:</p>
<ul>
<li>va_TraceSurface support for VA_FOURCC_P010</li>
<li>Add pointer to struct wl_interface for driver to use</li>
<li>(integrate) va: fix new line symbol in error message</li>
<li>av: avoid driver path truncation</li>
<li>Fix compilation warning (uninit and wrong variable types) for
Android O MR1</li>
<li>Allow import of the DRM PRIME 2 memory type</li>
<li>android: ignore unimportant compile warnnings</li>
<li>compile: fix sign/unsign compare in va_trace.c</li>
<li>android: replace utils/Log.h with log/log.h</li>
<li>High Dynamic Range Tone Mapping: Add a new filter for input
metadata and some comments</li>
<li>Remove restrictions on vaSetDriverName()</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-1477=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-1477=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
<ul>
<li>libva-x11-2-debuginfo-2.20.0-3.3.4</li>
<li>libva-drm2-debuginfo-2.20.0-3.3.4</li>
<li>libva2-2.20.0-3.3.4</li>
<li>libva-devel-2.20.0-3.3.4</li>
<li>libva-drm2-2.20.0-3.3.4</li>
<li>libva2-debuginfo-2.20.0-3.3.4</li>
<li>libva-x11-2-2.20.0-3.3.4</li>
<li>libva-debugsource-2.20.0-3.3.4</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
<ul>
<li>libva-x11-2-debuginfo-2.20.0-3.3.4</li>
<li>libva-drm2-debuginfo-2.20.0-3.3.4</li>
<li>libva2-2.20.0-3.3.4</li>
<li>libva-devel-2.20.0-3.3.4</li>
<li>libva-drm2-2.20.0-3.3.4</li>
<li>libva2-debuginfo-2.20.0-3.3.4</li>
<li>libva-x11-2-2.20.0-3.3.4</li>
<li>libva-debugsource-2.20.0-3.3.4</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-39929.html">https://www.suse.com/security/cve/CVE-2023-39929.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1202828">https://bugzilla.suse.com/show_bug.cgi?id=1202828</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217770">https://bugzilla.suse.com/show_bug.cgi?id=1217770</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224413">https://bugzilla.suse.com/show_bug.cgi?id=1224413</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-11066">https://jira.suse.com/browse/PED-11066</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-1174">https://jira.suse.com/browse/PED-1174</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PM-1623">https://jira.suse.com/browse/PM-1623</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-12712">https://jira.suse.com/browse/SLE-12712</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-19361">https://jira.suse.com/browse/SLE-19361</a>
</li>
<li>
<a href="https://jira.suse.com/browse/SLE-8838">https://jira.suse.com/browse/SLE-8838</a>
</li>
</ul>
</div>