Security update for libva

Announcement ID: SUSE-SU-2025:1451-1
Release Date: 2025-05-05T07:43:42Z
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2023-39929 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected Products:
  • openSUSE Leap 15.3
  • SUSE Enterprise Storage 7.1
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 LTSS
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves one vulnerability, contains three features and has two security fixes can now be installed.

Description:

This update for libva fixes the following issues:

Update to libva version 2.20.0, which includes security fix for:

  • uncontrolled search path may allow an authenticated user to escalate privilege via local access (CVE-2023-39929, bsc#1224413, jsc#PED-11066)

This includes latest version of one of the components needed for Video (processing) hardware support on Intel GPUs (bsc#1217770)

Update to version 2.20.0:

  • av1: Revise offsets comments for av1 encode
  • drm:
    • Limit the array size to avoid out of range
    • Remove no longer used helpers
  • jpeg: add support for crop and partial decode
  • trace:
    • Add trace for vaExportSurfaceHandle
    • Unlock mutex before return
    • Fix minor issue about printf data type and value range
  • va/backend:
    • Annotate vafool as deprecated
    • Document the vaGetDriver* APIs
  • va/x11/va_fglrx: Remove some dead code
  • va/x11/va_nvctrl: Remove some dead code
  • va:
    • Add new VADecodeErrorType to indicate the reset happended in the driver
    • Add vendor string on va_TraceInitialize
    • Added Q416 fourcc (three-plane 16-bit YUV 4:4:4)
    • Drop no longer applicable vaGetDriverNames check
    • Fix:don't leak driver names, when override is set
    • Fix:set driver number to be zero if vaGetDriverNames failed
    • Optimize code of getting driver name for all protocols/os (wayland,x11,drm,win32,android)
    • Remove legacy code paths
    • Remove unreachable "DRIVER BUG"
  • win32:
    • Only print win32 driver messages in DEBUG builds
    • Remove duplicate adapter_luid entry
  • x11/dri2: limit the array handling to avoid out of range access
  • x11:
    • Allow disabling DRI3 via LIBVA_DRI3_DISABLE env var
    • Implement vaGetDriverNames
    • Remove legacy code paths

Update to 2.19.0:

  • add: Add mono_chrome to VAEncSequenceParameterBufferAV1
  • add: Enable support for license acquisition of multiple protected playbacks
  • fix: use secure_getenv instead of getenv
  • trace: Improve and add VA trace log for AV1 encode
  • trace: Unify va log message, replace va_TracePrint with va_TraceMsg.

Update to version 2.18.0:

  • doc: Add build and install libva informatio in home page.
  • fix:
    • Add libva.def into distribution package
    • NULL check before calling strncmp.
    • Remove reference to non-existent symbol
  • meson: docs:
    • Add encoder interface for av1
    • Use libva_version over project_version()
  • va:
    • Add VAProfileH264High10
    • Always build with va-messaging API
    • Fix the codying style of CHECK_DISPLAY
    • Remove Android pre Jelly Bean workarounds
    • Remove dummy isValid() hook
    • Remove unused drm_sarea.h include & ANDROID references in va_dricommon.h
    • va/sysdeps.h: remove Android section
  • x11:
    • Allow disabling DRI3 via LIBVA_DRI3_DISABLe env var
    • Use LIBVA_DRI3_DISABLE in GetNumCandidates

Update to 2.17.0:

  • win: Simplify signature for driver name loading
  • win: Rewrite driver registry query and fix some bugs/leaks/inefficiencies
  • win: Add missing null check after calloc
  • va: Update security disclaimer
  • dep:remove the file .cvsignore
  • pkgconfig: add 'with-legacy' for emgd, nvctrl and fglrx
  • meson: add 'with-legacy' for emgd, nvctrl and fglrx
  • x11: move all FGLRX code to va_fglrx.c
  • x11: move all NVCTRL code to va_nvctrl.c
  • meson: stop using deprecated meson.source_root()
  • meson: stop using configure_file copy=true
  • va: correctly include the win32 (local) headers
  • win: clean-up the coding style
  • va: dos2unix all the files
  • drm: remove unnecessary dri2 version/extension query
  • trace: annotate internal functions with DLL_HIDDEN
  • build/sysdeps: Remove HAVE_GNUC_VISIBILITY_ATTRIBUTE and use GNUC support level attribute instead
  • meson: Check support for -Wl,-version-script and build link_args accordingly
  • meson: Set va_win32 soversion to '' and remove the install_data rename
  • fix: resouce check null
  • va_trace: Add Win32 memory types in va_TraceSurfaceAttributes
  • va_trace: va_TraceSurfaceAttributes should check the VASurfaceAttribMemoryType
  • va: Adds Win32 Node and Windows build support
  • va: Adds compat_win32 abstraction for Windows build and prepares va common code for windows build
  • pkgconfig: Add Win32 package for when WITH_WIN32 is enabled
  • meson: Add with_win32 option, makes libdrm non-mandatory on Win
  • x11: add basic DRI3 support
  • drm: remove VA_DRM_IsRenderNodeFd() helper
  • drm: add radeon drm + radeonsi mesa combo

Needed for jira#PED-1174 (Video decoding/encoding support (VA-API, ...) for Intel GPUs is outside of Mesa)

Update to 2.16.0:

  • add: Add HierarchicalFlag & hierarchical_level_plus1 for AV1e.
  • dep: Update README.md to remove badge links
  • dep: Removed waffle-io badge from README to fix broken link
  • dep: Drop mailing list, IRC and Slack
  • autotools: use wayland-scanner private-code
  • autotools: use the wayland-scanner.pc to locate the prog
  • meson: use wayland-scanner private-code
  • meson: request native wayland-scanner
  • meson: use the wayland-scanner.pc to locate the prog
  • meson: set HAVE_VA_X11 when applicable
  • style:Correct slight coding style in several new commits
  • trace: add Linux ftrace mode for va trace
  • trace: Add missing pthread_mutex_destroy
  • drm: remove no-longer needed X == X mappings
  • drm: fallback to drm driver name == va driver name
  • drm: simplify the mapping table
  • x11: simplify the mapping table

Update to version 2.15.0 was part of Intel oneVPL GPU Runtime 2022Q2 Release 22.4.4

Update to 2.15.0:

  • Add: new display HW attribute to report PCI ID
  • Add: sample depth related parameters for AV1e
  • Add: refresh_frame_flags for AV1e
  • Add: missing fields in va_TraceVAEncSequenceParameterBufferHEVC.
  • Add: nvidia-drm to the drm driver map
  • Add: type and buffer for delta qp per block
  • Deprecation: remove the va_fool support
  • Fix:Correct the version of meson build on master branch
  • Fix:X11 DRI2: check if device is a render node
  • Build:Use also strong stack protection if supported
  • Trace:print the string for profile/entrypoint/configattrib

Update to 2.14.0:

  • add: Add av1 encode interfaces
  • add: VA/X11 VAAPI driver mapping for crocus DRI driver
  • doc: Add description of the fd management for surface importing
  • ci: fix freebsd build
  • meson: Copy public headers to build directory to support subproject

Update to 2.13.0

  • add new surface format fourcc XYUV
  • Fix av1 dec doc page link issue
  • unify the code styles using the style_unify script
  • Check the function pointer before using (fixes github issue#536)
  • update NEWS for 2.13.0

Update to 2.12.0:

  • add: Report the capability of vaCopy support
  • add: Report the capability of sub device
  • add: Add config attributes to advertise HEVC/H.265 encoder features
  • add: Video processing HVS Denoise: Added 4 modes
  • add: Introduce VASurfaceAttribDRMFormatModifiers
  • add: Add 3DLUT Filter in Video Processing.
  • doc: Update log2_tile_column description for vp9enc
  • trace: Correct av1 film grain trace information
  • ci: Fix freebsd build by switching to vmactions/freebsd-vm@v0.1.3

Update to 2.11.0:

  • add: LibVA Protected Content API
  • add: Add a configuration attribute to advertise AV1d LST feature
  • fix: wayland: don't try to authenticate with render nodes
  • autotools: use shell grouping instead of sed to prepend a line
  • trace: Add details data dump for mpeg2 IQ matrix.
  • doc: update docs for VASurfaceAttribPixelFormat
  • doc: Libva documentation edit for AV1 reference frames
  • doc: Modify AV1 frame_width_minus1 and frame_height_minus1 comment
  • doc: Remove tile_rows and tile_cols restriction to match AV1 spec
  • doc: Format code for doxygen output
  • doc: AV1 decode documentation edit for superres_scale_denominator
  • ci: upgrade FreeBSD to 12.2
  • ci: disable travis build
  • ci: update cache before attempting to install packages
  • ci: avoid running workloads on other workloads changes

  • ci: enable github actions

  • CVE-2023-39929: Fixed an issue where an uncontrolled search path may allow authenticated users to escalate privilege via local access. (bsc#1224413)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.3
    zypper in -t patch SUSE-2025-1451=1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-1451=1
  • SUSE Linux Enterprise Server 15 SP3 LTSS
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-1451=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-1451=1
  • SUSE Enterprise Storage 7.1
    zypper in -t patch SUSE-Storage-7.1-2025-1451=1

Package List:

  • openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
    • libva2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-debuginfo-2.20.0-150300.3.3.1
    • libva-debugsource-2.20.0-150300.3.3.1
    • libva-drm2-debuginfo-2.20.0-150300.3.3.1
    • libva2-2.20.0-150300.3.3.1
    • libva-wayland2-2.20.0-150300.3.3.1
    • libva-glx2-2.20.0-150300.3.3.1
    • libva-gl-debugsource-2.20.0-150300.3.3.1
    • libva-gl-devel-2.20.0-150300.3.3.1
    • libva-drm2-2.20.0-150300.3.3.1
    • libva-glx2-debuginfo-2.20.0-150300.3.3.1
    • libva-wayland2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-2.20.0-150300.3.3.1
    • libva-devel-2.20.0-150300.3.3.1
  • openSUSE Leap 15.3 (x86_64)
    • libva-drm2-32bit-debuginfo-2.20.0-150300.3.3.1
    • libva-wayland2-32bit-2.20.0-150300.3.3.1
    • libva-wayland2-32bit-debuginfo-2.20.0-150300.3.3.1
    • libva-drm2-32bit-2.20.0-150300.3.3.1
    • libva-glx2-32bit-2.20.0-150300.3.3.1
    • libva-x11-2-32bit-2.20.0-150300.3.3.1
    • libva2-32bit-2.20.0-150300.3.3.1
    • libva-x11-2-32bit-debuginfo-2.20.0-150300.3.3.1
    • libva-glx2-32bit-debuginfo-2.20.0-150300.3.3.1
    • libva-gl-devel-32bit-2.20.0-150300.3.3.1
    • libva2-32bit-debuginfo-2.20.0-150300.3.3.1
    • libva-devel-32bit-2.20.0-150300.3.3.1
  • openSUSE Leap 15.3 (aarch64_ilp32)
    • libva-drm2-64bit-debuginfo-2.20.0-150300.3.3.1
    • libva-wayland2-64bit-debuginfo-2.20.0-150300.3.3.1
    • libva-drm2-64bit-2.20.0-150300.3.3.1
    • libva-gl-devel-64bit-2.20.0-150300.3.3.1
    • libva-x11-2-64bit-debuginfo-2.20.0-150300.3.3.1
    • libva-wayland2-64bit-2.20.0-150300.3.3.1
    • libva-glx2-64bit-debuginfo-2.20.0-150300.3.3.1
    • libva2-64bit-2.20.0-150300.3.3.1
    • libva-glx2-64bit-2.20.0-150300.3.3.1
    • libva-x11-2-64bit-2.20.0-150300.3.3.1
    • libva2-64bit-debuginfo-2.20.0-150300.3.3.1
    • libva-devel-64bit-2.20.0-150300.3.3.1
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
    • libva2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-debuginfo-2.20.0-150300.3.3.1
    • libva-debugsource-2.20.0-150300.3.3.1
    • libva-drm2-debuginfo-2.20.0-150300.3.3.1
    • libva2-2.20.0-150300.3.3.1
    • libva-wayland2-2.20.0-150300.3.3.1
    • libva-drm2-2.20.0-150300.3.3.1
    • libva-wayland2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-2.20.0-150300.3.3.1
    • libva-devel-2.20.0-150300.3.3.1
  • SUSE Linux Enterprise Server 15 SP3 LTSS (aarch64 ppc64le s390x x86_64)
    • libva2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-debuginfo-2.20.0-150300.3.3.1
    • libva-debugsource-2.20.0-150300.3.3.1
    • libva-drm2-debuginfo-2.20.0-150300.3.3.1
    • libva2-2.20.0-150300.3.3.1
    • libva-wayland2-2.20.0-150300.3.3.1
    • libva-drm2-2.20.0-150300.3.3.1
    • libva-wayland2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-2.20.0-150300.3.3.1
    • libva-devel-2.20.0-150300.3.3.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
    • libva2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-debuginfo-2.20.0-150300.3.3.1
    • libva-debugsource-2.20.0-150300.3.3.1
    • libva-drm2-debuginfo-2.20.0-150300.3.3.1
    • libva2-2.20.0-150300.3.3.1
    • libva-wayland2-2.20.0-150300.3.3.1
    • libva-drm2-2.20.0-150300.3.3.1
    • libva-wayland2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-2.20.0-150300.3.3.1
    • libva-devel-2.20.0-150300.3.3.1
  • SUSE Enterprise Storage 7.1 (aarch64 x86_64)
    • libva2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-debuginfo-2.20.0-150300.3.3.1
    • libva-debugsource-2.20.0-150300.3.3.1
    • libva-drm2-debuginfo-2.20.0-150300.3.3.1
    • libva2-2.20.0-150300.3.3.1
    • libva-wayland2-2.20.0-150300.3.3.1
    • libva-drm2-2.20.0-150300.3.3.1
    • libva-wayland2-debuginfo-2.20.0-150300.3.3.1
    • libva-x11-2-2.20.0-150300.3.3.1
    • libva-devel-2.20.0-150300.3.3.1

References: