Bug 19814

Summary: gstreamer0.10-plugins-bad, gstreamer1.0-plugins-bad new security issue in VMWare screen capture file decoder (CVE-2016-944[56])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Shlomi Fish <shlomif>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, pkg-bugs
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/706842/
Whiteboard:
Source RPM: gstreamer0.10-plugins-bad, gstreamer1.0-plugins-bad CVE:
Status comment:
Bug Depends on: 20238    
Bug Blocks:    

Description David Walser 2016-11-18 17:23:44 CET 
Debian has issued an advisory on November 17:
https://www.debian.org/security/2016/dsa-3717
David Walser 2016-11-18 17:23:55 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-18 18:21:57 CET 
Assigning to gstreamer0.10-plugins-bad maintainer.

There's no gstreamer1.0-plugins-bad maintainer. CC'ing all packagers collectively.

I guess this report needs to be cloned for gstreamer1.0-plugins-bad, anyway?

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => shlomif

Comment 2 David Walser 2016-11-18 20:59:21 CET 
CVE request and link to the upstream fix:
http://openwall.com/lists/oss-security/2016/11/18/12
Comment 3 David Walser 2016-11-19 20:38:28 CET 
Appears to be fixed in Cauldron by Shlomi.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2016-11-20 17:15:59 CET 
CVE-2016-944[56]:
http://openwall.com/lists/oss-security/2016/11/18/13

Summary: gstreamer0.10-plugins-bad, gstreamer1.0-plugins-bad new security issue in VMWare screen capture file decoder => gstreamer0.10-plugins-bad, gstreamer1.0-plugins-bad new security issue in VMWare screen capture file decoder (CVE-2016-944[56])

Comment 5 David Walser 2016-12-05 20:08:06 CET 
CVE-2016-9809, CVE-2016-981[23] assigned for issues fixed in 1.10.2:
http://openwall.com/lists/oss-security/2016/12/05/8
Comment 6 David Walser 2016-12-08 19:53:18 CET 
LWN reference for CVE-2016-9809:
https://lwn.net/Vulnerabilities/708524/
Comment 7 David Walser 2016-12-12 20:29:36 CET 
LWN reference for CVE-2016-981[23]:
https://lwn.net/Vulnerabilities/708873/

Fedora has issued an advisory for this on December 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IQKP5AYCCUOV4CJ6YAVAIDLWZRXEY7JG/
David Walser 2017-12-27 23:14:37 CET

Depends on: (none) => 20238

Comment 8 David Walser 2018-01-01 17:14:30 CET 
Fixed in:
https://advisories.mageia.org/MGASA-2018-0012.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED