SUSE-SU-2025:1452-1: moderate: Security update for libva
SLE-UPDATES
null at suse.de
Mon May 5 08:30:40 UTC 2025
# Security update for libva
Announcement ID: SUSE-SU-2025:1452-1
Release Date: 2025-05-05T07:44:00Z
Rating: moderate
References:
* bsc#1202828
* bsc#1217770
* bsc#1224413
* jsc#PED-11066
* jsc#PED-1174
Cross-References:
* CVE-2023-39929
CVSS scores:
* CVE-2023-39929 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products:
* openSUSE Leap 15.4
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
An update that solves one vulnerability, contains two features and has two
security fixes can now be installed.
## Description:
This update for libva fixes the following issues:
Update to libva version 2.20.0, which includes security fix for:
* CVE-2023-39929: Uncontrolled search path may allow an authenticated user to
escalate privilege via local access (bsc#1224413, jsc#PED-11066)
This includes latest version of one of the components needed for Video
(processing) hardware support on Intel GPUs (bsc#1217770)
Update to version 2.20.0:
* av1: Revise offsets comments for av1 encode
* drm:
* Limit the array size to avoid out of range
* Remove no longer used helpers
* jpeg: add support for crop and partial decode
* trace:
* Add trace for vaExportSurfaceHandle
* Unlock mutex before return
* Fix minor issue about printf data type and value range
* va/backend:
* Annotate vafool as deprecated
* Document the vaGetDriver* APIs
* va/x11/va_fglrx: Remove some dead code
* va/x11/va_nvctrl: Remove some dead code
* va:
* Add new VADecodeErrorType to indicate the reset happended in the driver
* Add vendor string on va_TraceInitialize
* Added Q416 fourcc (three-plane 16-bit YUV 4:4:4)
* Drop no longer applicable vaGetDriverNames check
* Fix:don't leak driver names, when override is set
* Fix:set driver number to be zero if vaGetDriverNames failed
* Optimize code of getting driver name for all protocols/os (wayland,x11,drm,win32,android)
* Remove legacy code paths
* Remove unreachable "DRIVER BUG"
* win32:
* Only print win32 driver messages in DEBUG builds
* Remove duplicate adapter_luid entry
* x11/dri2: limit the array handling to avoid out of range access
* x11:
* Allow disabling DRI3 via LIBVA_DRI3_DISABLE env var
* Implement vaGetDriverNames
* Remove legacy code paths
Update to 2.19.0:
* add: Add mono_chrome to VAEncSequenceParameterBufferAV1
* add: Enable support for license acquisition of multiple protected playbacks
* fix: use secure_getenv instead of getenv
* trace: Improve and add VA trace log for AV1 encode
* trace: Unify va log message, replace va_TracePrint with va_TraceMsg.
Update to version 2.18.0:
* doc: Add build and install libva informatio in home page.
* fix:
* Add libva.def into distribution package
* NULL check before calling strncmp.
* Remove reference to non-existent symbol
* meson: docs:
* Add encoder interface for av1
* Use libva_version over project_version()
* va:
* Add VAProfileH264High10
* Always build with va-messaging API
* Fix the codying style of CHECK_DISPLAY
* Remove Android pre Jelly Bean workarounds
* Remove dummy isValid() hook
* Remove unused drm_sarea.h include & ANDROID references in va_dricommon.h
* va/sysdeps.h: remove Android section
* x11:
* Allow disabling DRI3 via LIBVA_DRI3_DISABLe env var
* Use LIBVA_DRI3_DISABLE in GetNumCandidates
update to 2.17.0:
* win: Simplify signature for driver name loading
* win: Rewrite driver registry query and fix some bugs/leaks/inefficiencies
* win: Add missing null check after calloc
* va: Update security disclaimer
* dep:remove the file .cvsignore
* pkgconfig: add 'with-legacy' for emgd, nvctrl and fglrx
* meson: add 'with-legacy' for emgd, nvctrl and fglrx
* x11: move all FGLRX code to va_fglrx.c
* x11: move all NVCTRL code to va_nvctrl.c
* meson: stop using deprecated meson.source_root()
* meson: stop using configure_file copy=true
* va: correctly include the win32 (local) headers
* win: clean-up the coding style
* va: dos2unix all the files
* drm: remove unnecessary dri2 version/extension query
* trace: annotate internal functions with DLL_HIDDEN
* build/sysdeps: Remove HAVE_GNUC_VISIBILITY_ATTRIBUTE and use _GNUC_ support
level attribute instead
* meson: Check support for -Wl,-version-script and build link_args accordingly
* meson: Set va_win32 soversion to '' and remove the install_data rename
* fix: resouce check null
* va_trace: Add Win32 memory types in va_TraceSurfaceAttributes
* va_trace: va_TraceSurfaceAttributes should check the
VASurfaceAttribMemoryType
* va: Adds Win32 Node and Windows build support
* va: Adds compat_win32 abstraction for Windows build and prepares va common
code for windows build
* pkgconfig: Add Win32 package for when WITH_WIN32 is enabled
* meson: Add with_win32 option, makes libdrm non-mandatory on Win
* x11: add basic DRI3 support
* drm: remove VA_DRM_IsRenderNodeFd() helper
* drm: add radeon drm + radeonsi mesa combo
* needed for jira#PED-1174 (Video decoding/encoding support (VA-API, ...) for
Intel GPUs is outside of Mesa)
Update to 2.16.0:
* add: Add HierarchicalFlag & hierarchical_level_plus1 for AV1e.
* dep: Update README.md to remove badge links
* dep: Removed waffle-io badge from README to fix broken link
* dep: Drop mailing list, IRC and Slack
* autotools: use wayland-scanner private-code
* autotools: use the wayland-scanner.pc to locate the prog
* meson: use wayland-scanner private-code
* meson: request native wayland-scanner
* meson: use the wayland-scanner.pc to locate the prog
* meson: set HAVE_VA_X11 when applicable
* style:Correct slight coding style in several new commits
* trace: add Linux ftrace mode for va trace
* trace: Add missing pthread_mutex_destroy
* drm: remove no-longer needed X == X mappings
* drm: fallback to drm driver name == va driver name
* drm: simplify the mapping table
* x11: simplify the mapping table
Update to version 2.15.0 was part of Intel oneVPL GPU Runtime 2022Q2 Release
22.4.4
Update to 2.15.0:
* Add: new display HW attribute to report PCI ID
* Add: sample depth related parameters for AV1e
* Add: refresh_frame_flags for AV1e
* Add: missing fields in va_TraceVAEncSequenceParameterBufferHEVC.
* Add: nvidia-drm to the drm driver map
* Add: type and buffer for delta qp per block
* Deprecation: remove the va_fool support
* Fix:Correct the version of meson build on master branch
* Fix:X11 DRI2: check if device is a render node
* Build:Use also strong stack protection if supported
* Trace:print the string for profile/entrypoint/configattrib
Update to 2.14.0:
* add: Add av1 encode interfaces
* add: VA/X11 VAAPI driver mapping for crocus DRI driver
* doc: Add description of the fd management for surface importing
* ci: fix freebsd build
* meson: Copy public headers to build directory to support subproject
* CVE-2023-39929: Fixed an issue where an uncontrolled search path may allow
authenticated users to escalate privilege via local access. (bsc#1224413)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2025-1452=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1452=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1452=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1452=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1452=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* libva-drm2-debuginfo-2.20.0-150400.3.5.1
* libva-devel-2.20.0-150400.3.5.1
* libva-x11-2-2.20.0-150400.3.5.1
* libva2-2.20.0-150400.3.5.1
* libva-gl-devel-2.20.0-150400.3.5.1
* libva-glx2-2.20.0-150400.3.5.1
* libva-x11-2-debuginfo-2.20.0-150400.3.5.1
* libva-gl-debugsource-2.20.0-150400.3.5.1
* libva-glx2-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-2.20.0-150400.3.5.1
* libva-debugsource-2.20.0-150400.3.5.1
* libva-wayland2-debuginfo-2.20.0-150400.3.5.1
* libva-drm2-2.20.0-150400.3.5.1
* libva2-debuginfo-2.20.0-150400.3.5.1
* openSUSE Leap 15.4 (x86_64)
* libva-glx2-32bit-2.20.0-150400.3.5.1
* libva-drm2-32bit-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-32bit-debuginfo-2.20.0-150400.3.5.1
* libva-devel-32bit-2.20.0-150400.3.5.1
* libva-x11-2-32bit-2.20.0-150400.3.5.1
* libva2-32bit-2.20.0-150400.3.5.1
* libva-x11-2-32bit-debuginfo-2.20.0-150400.3.5.1
* libva-glx2-32bit-debuginfo-2.20.0-150400.3.5.1
* libva-gl-devel-32bit-2.20.0-150400.3.5.1
* libva2-32bit-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-32bit-2.20.0-150400.3.5.1
* libva-drm2-32bit-2.20.0-150400.3.5.1
* openSUSE Leap 15.4 (aarch64_ilp32)
* libva-glx2-64bit-2.20.0-150400.3.5.1
* libva-drm2-64bit-2.20.0-150400.3.5.1
* libva-glx2-64bit-debuginfo-2.20.0-150400.3.5.1
* libva2-64bit-debuginfo-2.20.0-150400.3.5.1
* libva-gl-devel-64bit-2.20.0-150400.3.5.1
* libva-drm2-64bit-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-64bit-2.20.0-150400.3.5.1
* libva-x11-2-64bit-2.20.0-150400.3.5.1
* libva-devel-64bit-2.20.0-150400.3.5.1
* libva2-64bit-2.20.0-150400.3.5.1
* libva-x11-2-64bit-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-64bit-debuginfo-2.20.0-150400.3.5.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* libva-drm2-debuginfo-2.20.0-150400.3.5.1
* libva-devel-2.20.0-150400.3.5.1
* libva-x11-2-2.20.0-150400.3.5.1
* libva2-2.20.0-150400.3.5.1
* libva-x11-2-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-2.20.0-150400.3.5.1
* libva-debugsource-2.20.0-150400.3.5.1
* libva-wayland2-debuginfo-2.20.0-150400.3.5.1
* libva-drm2-2.20.0-150400.3.5.1
* libva2-debuginfo-2.20.0-150400.3.5.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* libva-drm2-debuginfo-2.20.0-150400.3.5.1
* libva-devel-2.20.0-150400.3.5.1
* libva-x11-2-2.20.0-150400.3.5.1
* libva2-2.20.0-150400.3.5.1
* libva-x11-2-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-2.20.0-150400.3.5.1
* libva-debugsource-2.20.0-150400.3.5.1
* libva-wayland2-debuginfo-2.20.0-150400.3.5.1
* libva-drm2-2.20.0-150400.3.5.1
* libva2-debuginfo-2.20.0-150400.3.5.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
* libva-drm2-debuginfo-2.20.0-150400.3.5.1
* libva-devel-2.20.0-150400.3.5.1
* libva-x11-2-2.20.0-150400.3.5.1
* libva2-2.20.0-150400.3.5.1
* libva-x11-2-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-2.20.0-150400.3.5.1
* libva-debugsource-2.20.0-150400.3.5.1
* libva-wayland2-debuginfo-2.20.0-150400.3.5.1
* libva-drm2-2.20.0-150400.3.5.1
* libva2-debuginfo-2.20.0-150400.3.5.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* libva-drm2-debuginfo-2.20.0-150400.3.5.1
* libva-devel-2.20.0-150400.3.5.1
* libva-x11-2-2.20.0-150400.3.5.1
* libva2-2.20.0-150400.3.5.1
* libva-x11-2-debuginfo-2.20.0-150400.3.5.1
* libva-wayland2-2.20.0-150400.3.5.1
* libva-debugsource-2.20.0-150400.3.5.1
* libva-wayland2-debuginfo-2.20.0-150400.3.5.1
* libva-drm2-2.20.0-150400.3.5.1
* libva2-debuginfo-2.20.0-150400.3.5.1
## References:
* https://www.suse.com/security/cve/CVE-2023-39929.html
* https://bugzilla.suse.com/show_bug.cgi?id=1202828
* https://bugzilla.suse.com/show_bug.cgi?id=1217770
* https://bugzilla.suse.com/show_bug.cgi?id=1224413
* https://jira.suse.com/browse/PED-11066
* https://jira.suse.com/browse/PED-1174
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250505/6e766560/attachment.htm>
More information about the sle-updates
mailing list