<div class="container">
<h1>Security update for libva</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:1453-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-05-05T07:44:16Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1202828">bsc#1202828</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217770">bsc#1217770</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224413">bsc#1224413</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-11066">jsc#PED-11066</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-39929.html">CVE-2023-39929</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-39929</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.7</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability, contains one feature and has two security fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for libva fixes the following issues:</p>
<p>Update to libva version 2.20.0, which includes security fix for:</p>
<ul>
<li>CVE-2023-39929: uncontrolled search path may allow an authenticated user to
escalate privilege via local access (bsc#1224413, jsc#PED-11066)</li>
</ul>
<p>This includes latest version of one of the components needed for Video
(processing) hardware support on Intel GPUs (bsc#1217770)</p>
<p>Update to version 2.20.0:</p>
<ul>
<li>av1: Revise offsets comments for av1 encode</li>
<li>
<p>drm:</p>
<ul>
<li>Limit the array size to avoid out of range</li>
<li>Remove no longer used helpers</li>
</ul>
</li>
<li>
<p>jpeg: add support for crop and partial decode</p>
</li>
<li>
<p>trace:</p>
<ul>
<li>Add trace for vaExportSurfaceHandle</li>
<li>Unlock mutex before return</li>
<li>Fix minor issue about printf data type and value range</li>
</ul>
</li>
<li>
<p>va/backend:</p>
<ul>
<li>Annotate vafool as deprecated</li>
<li>Document the vaGetDriver* APIs</li>
</ul>
</li>
<li>
<p>va/x11/va_fglrx: Remove some dead code</p>
</li>
<li>va/x11/va_nvctrl: Remove some dead code</li>
<li>
<p>va:</p>
<ul>
<li>Add new VADecodeErrorType to indicate the reset happended in
the driver</li>
<li>Add vendor string on va_TraceInitialize</li>
<li>Added Q416 fourcc (three-plane 16-bit YUV 4:4:4)</li>
<li>Drop no longer applicable vaGetDriverNames check</li>
<li>Fix:don't leak driver names, when override is set</li>
<li>Fix:set driver number to be zero if vaGetDriverNames failed</li>
<li>Optimize code of getting driver name for all protocols/os
(wayland,x11,drm,win32,android)</li>
<li>Remove legacy code paths</li>
<li>Remove unreachable "DRIVER BUG"</li>
</ul>
</li>
<li>
<p>x11/dri2: limit the array handling to avoid out of range access</p>
</li>
<li>
<p>x11:</p>
<ul>
<li>Allow disabling DRI3 via LIBVA_DRI3_DISABLE env var</li>
<li>Implement vaGetDriverNames</li>
<li>Remove legacy code paths</li>
</ul>
</li>
</ul>
<p>Update to 2.19.0:</p>
<ul>
<li>add: Add mono_chrome to VAEncSequenceParameterBufferAV1</li>
<li>add: Enable support for license acquisition of multiple protected
playbacks</li>
<li>fix: use secure_getenv instead of getenv</li>
<li>trace: Improve and add VA trace log for AV1 encode</li>
<li>trace: Unify va log message, replace va_TracePrint with va_TraceMsg.</li>
</ul>
<p>Update to version 2.18.0:</p>
<ul>
<li>doc: Add build and install libva informatio in home page.</li>
<li>
<p>fix:</p>
<ul>
<li>Add libva.def into distribution package</li>
<li>NULL check before calling strncmp.</li>
<li>Remove reference to non-existent symbol</li>
</ul>
</li>
<li>
<p>meson: docs:</p>
<ul>
<li>Add encoder interface for av1</li>
<li>Use libva_version over project_version()</li>
</ul>
</li>
<li>
<p>va:</p>
<ul>
<li>Add VAProfileH264High10</li>
<li>Always build with va-messaging API</li>
<li>Fix the codying style of CHECK_DISPLAY</li>
<li>Remove Android pre Jelly Bean workarounds</li>
<li>Remove dummy isValid() hook</li>
<li>Remove unused drm_sarea.h include & ANDROID references in
va_dricommon.h</li>
<li>va/sysdeps.h: remove Android section</li>
<li>x11:</li>
<li>
<p>Allow disabling DRI3 via LIBVA_DRI3_DISABLe env var</p>
</li>
<li>
<p>Use LIBVA_DRI3_DISABLE in GetNumCandidates</p>
</li>
</ul>
</li>
<li>
<p>Add libva-wayland to baselibs.conf, now that its build have moved
to the main part of spec, source validator should no longer
complain on SLE.</p>
</li>
</ul>
<p>Update to 2.17.0:</p>
<ul>
<li>win: Simplify signature for driver name loading</li>
<li>win: Rewrite driver registry query and fix some
bugs/leaks/inefficiencies</li>
<li>win: Add missing null check after calloc</li>
<li>va: Update security disclaimer</li>
<li>dep:remove the file .cvsignore</li>
<li>pkgconfig: add 'with-legacy' for emgd, nvctrl and fglrx</li>
<li>meson: add 'with-legacy' for emgd, nvctrl and fglrx</li>
<li>x11: move all FGLRX code to va_fglrx.c</li>
<li>x11: move all NVCTRL code to va_nvctrl.c</li>
<li>meson: stop using deprecated meson.source_root()</li>
<li>meson: stop using configure_file copy=true</li>
<li>va: correctly include the win32 (local) headers</li>
<li>win: clean-up the coding style</li>
<li>va: dos2unix all the files</li>
<li>drm: remove unnecessary dri2 version/extension query</li>
<li>trace: annotate internal functions with DLL_HIDDEN</li>
<li>build/sysdeps: Remove HAVE_GNUC_VISIBILITY_ATTRIBUTE and use <em>GNUC</em>
support level attribute instead</li>
<li>meson: Check support for -Wl,-version-script and build link_args
accordingly</li>
<li>meson: Set va_win32 soversion to '' and remove the install_data rename</li>
<li>fix: resouce check null</li>
<li>va_trace: Add Win32 memory types in va_TraceSurfaceAttributes</li>
<li>va_trace: va_TraceSurfaceAttributes should check the
VASurfaceAttribMemoryType</li>
<li>va: Adds Win32 Node and Windows build support</li>
<li>va: Adds compat_win32 abstraction for Windows build and prepares va
common code for windows build</li>
<li>pkgconfig: Add Win32 package for when WITH_WIN32 is enabled</li>
<li>meson: Add with_win32 option, makes libdrm non-mandatory on Win</li>
<li>x11: add basic DRI3 support</li>
<li>drm: remove VA_DRM_IsRenderNodeFd() helper</li>
<li>drm: add radeon drm + radeonsi mesa combo</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch SUSE-2025-1453=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1453=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1453=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-1453=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-1453=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>libva-x11-2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-devel-2.20.0-150500.3.5.1</li>
<li>libva-debugsource-2.20.0-150500.3.5.1</li>
<li>libva2-2.20.0-150500.3.5.1</li>
<li>libva-gl-debugsource-2.20.0-150500.3.5.1</li>
<li>libva-glx2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-glx2-2.20.0-150500.3.5.1</li>
<li>libva-drm2-2.20.0-150500.3.5.1</li>
<li>libva-gl-devel-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-2.20.0-150500.3.5.1</li>
<li>libva-drm2-debuginfo-2.20.0-150500.3.5.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (x86_64)
<ul>
<li>libva-x11-2-32bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva2-32bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-32bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva2-32bit-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-32bit-2.20.0-150500.3.5.1</li>
<li>libva-devel-32bit-2.20.0-150500.3.5.1</li>
<li>libva-drm2-32bit-2.20.0-150500.3.5.1</li>
<li>libva-glx2-32bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-glx2-32bit-2.20.0-150500.3.5.1</li>
<li>libva-gl-devel-32bit-2.20.0-150500.3.5.1</li>
<li>libva-drm2-32bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-32bit-2.20.0-150500.3.5.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64_ilp32)
<ul>
<li>libva2-64bit-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-64bit-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-64bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-drm2-64bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-drm2-64bit-2.20.0-150500.3.5.1</li>
<li>libva-devel-64bit-2.20.0-150500.3.5.1</li>
<li>libva2-64bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-glx2-64bit-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-64bit-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-64bit-2.20.0-150500.3.5.1</li>
<li>libva-gl-devel-64bit-2.20.0-150500.3.5.1</li>
<li>libva-glx2-64bit-debuginfo-2.20.0-150500.3.5.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64)
<ul>
<li>libva-x11-2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-devel-2.20.0-150500.3.5.1</li>
<li>libva-debugsource-2.20.0-150500.3.5.1</li>
<li>libva2-2.20.0-150500.3.5.1</li>
<li>libva2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-drm2-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-2.20.0-150500.3.5.1</li>
<li>libva-drm2-debuginfo-2.20.0-150500.3.5.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64)
<ul>
<li>libva-x11-2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-devel-2.20.0-150500.3.5.1</li>
<li>libva-debugsource-2.20.0-150500.3.5.1</li>
<li>libva2-2.20.0-150500.3.5.1</li>
<li>libva2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-drm2-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-2.20.0-150500.3.5.1</li>
<li>libva-drm2-debuginfo-2.20.0-150500.3.5.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
<ul>
<li>libva-x11-2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-devel-2.20.0-150500.3.5.1</li>
<li>libva-debugsource-2.20.0-150500.3.5.1</li>
<li>libva2-2.20.0-150500.3.5.1</li>
<li>libva2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-drm2-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-2.20.0-150500.3.5.1</li>
<li>libva-drm2-debuginfo-2.20.0-150500.3.5.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
<ul>
<li>libva-x11-2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-devel-2.20.0-150500.3.5.1</li>
<li>libva-debugsource-2.20.0-150500.3.5.1</li>
<li>libva2-2.20.0-150500.3.5.1</li>
<li>libva2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-debuginfo-2.20.0-150500.3.5.1</li>
<li>libva-drm2-2.20.0-150500.3.5.1</li>
<li>libva-wayland2-2.20.0-150500.3.5.1</li>
<li>libva-x11-2-2.20.0-150500.3.5.1</li>
<li>libva-drm2-debuginfo-2.20.0-150500.3.5.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-39929.html">https://www.suse.com/security/cve/CVE-2023-39929.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1202828">https://bugzilla.suse.com/show_bug.cgi?id=1202828</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217770">https://bugzilla.suse.com/show_bug.cgi?id=1217770</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224413">https://bugzilla.suse.com/show_bug.cgi?id=1224413</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-11066">https://jira.suse.com/browse/PED-11066</a>
</li>
</ul>
</div>