---
- branch: MAIN
  date: Mon Jan 23 18:20:59 UTC 2017
  files:
  - new: '1.10'
    old: '1.9'
    path: pkgsrc/multimedia/libvdpau/Makefile
    pathrev: pkgsrc/multimedia/libvdpau/Makefile@1.10
    type: modified
  - new: '1.3'
    old: '1.2'
    path: pkgsrc/multimedia/libvdpau/PLIST
    pathrev: pkgsrc/multimedia/libvdpau/PLIST@1.3
    type: modified
  - new: '1.5'
    old: '1.4'
    path: pkgsrc/multimedia/libvdpau/available.mk
    pathrev: pkgsrc/multimedia/libvdpau/available.mk@1.5
    type: modified
  - new: '1.6'
    old: '1.5'
    path: pkgsrc/multimedia/libvdpau/distinfo
    pathrev: pkgsrc/multimedia/libvdpau/distinfo@1.6
    type: modified
  - new: '1.2'
    old: '1.1'
    path: pkgsrc/multimedia/libvdpau/patches/patch-src_Makefile.in
    pathrev: pkgsrc/multimedia/libvdpau/patches/patch-src_Makefile.in@1.2
    type: modified
  id: 20170123T182059Z.a2acb4500969ff40824bf69c03df138226b7dc96
  log: |
    Changes 1.1.1:
    Use secure_getenv(3) to improve security

    This patch is in response to the following security vulnerabilities
    (CVEs) reported to NVIDIA against libvdpau:

    CVE-2015-5198
    CVE-2015-5199
    CVE-2015-5200

    To address these CVEs, this patch:

    - replaces all uses of getenv(3) with secure_getenv(3);
    - uses secure_getenv(3) when available, with a fallback option;
    - protects VDPAU_DRIVER against directory traversal by checking for '/'

    On platforms where secure_getenv(3) is not available, the C preprocessor
    will print a warning at compile time. Then, a preprocessor macro will
    replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:

      getuid() == geteuid() && getgid() == getegid()

    See getuid(2) and getgid(2) for further details.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/multimedia/libvdpau'
  unixtime: '1485195659'
  user: adam