Vulnerabilities in libvdapu 1.1 and older when used with setuid or setgid applications

libvdpau versions 1.1 and earlier, when used in setuid or setgid applications, contain vulnerabilities related to environment variable handling that could allow an attacker to execute arbitrary code or overwrite arbitrary files. See CVE-2015-5198, CVE-2015-5199, and CVE-2015-5200 for more details.

A fixed version of libvdpau is available at http://people.freedesktop.org/~aplattner/vdpau/libvdpau-1.1.1.tar.bz2.

NVIDIA does not recommend the use of libvdpau with setuid or setgid applications.

Currently-available versions of the NVIDIA driver contain a pre-compiled version of the vulnerable library. This copy will not be installed by nvidia-installer if the fixed version is already installed. In addition, the --no-install-vdpau-wrapper option can be passed to the installer to prevent it from installing the vulnerable copy even if an existing copy is not found. The legacy release 304.128 does not contain libvdpau.