Bug 20236

Summary: gstreamer1.0-plugins-base new security issues CVE-2017-583[79] and CVE-2017-584[24]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, mageia, marja11, pkg-bugs, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/713773/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: gstreamer1.0-plugins-base-1.4.3-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-02-02 12:15:01 CET 
CVEs have been assigned for several security issues fixed in gstreamer 1.10.3:
http://openwall.com/lists/oss-security/2017/02/02/9

Four of those affect plugins-base.  Mageia 5 may be affected.
Comment 1 Marja Van Waes 2017-02-02 16:03:23 CET 
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => fundawang

David Walser 2017-02-07 12:11:13 CET

URL: (none) => https://lwn.net/Vulnerabilities/713773/

Comment 2 David Walser 2017-02-21 12:16:16 CET 
gstreamer0.10-plugins-base also affected:
https://lwn.net/Alerts/714996/
David Walser 2017-02-21 12:27:52 CET

Assignee: fundawang => shlomif

Comment 3 David Walser 2017-04-22 23:01:50 CEST 
openSUSE has issued an advisory on April 20:
https://lists.opensuse.org/opensuse-updates/2017-04/msg00084.html
Comment 4 Nicolas Lécureuil 2017-08-22 02:24:19 CEST 
Pushed in updates_testing
src.rpm:
        gstreamer1.0-plugins-base-1.4.3-2.2.mga5
        gstreamer0.10-plugins-base-0.10.36-9.2.mga5

CC: (none) => mageia
Assignee: shlomif => qa-bugs

Comment 5 David Walser 2017-08-22 02:42:04 CEST 
Advisory:
========================

Updated gstreamer0.10-plugins-base and gstreamer1.0-plugins-base packages fix
security vulnerabilities:

Denial of service in GStreamer base plugins can be caused by floating point
exceptions (CVE-2017-5837, CVE-2017-5844), stack overflow (CVE-2017-5839), or
out-of-bounds heap read (CVE-2017-5842).

Note that GStreamer 0.10 was only affected by the floating point exceptions.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5844
http://openwall.com/lists/oss-security/2017/02/02/9
https://lwn.net/Alerts/714996/
========================

Updated packages in core/updates_testing:
========================
gstreamer0.10-plugins-base-0.10.36-9.2.mga5
gstreamer0.10-plugins-base-debuginfo-0.10.36-9.2.mga5
libgstreamer-plugins-base0.10_0-0.10.36-9.2.mga5
libgstreamer-plugins-base-gir0.10-0.10.36-9.2.mga5
libgstreamer-plugins-base0.10-devel-0.10.36-9.2.mga5
gstreamer0.10-gnomevfs-0.10.36-9.2.mga5
gstreamer0.10-cdparanoia-0.10.36-9.2.mga5
gstreamer0.10-libvisual-0.10.36-9.2.mga5
gstreamer1.0-plugins-base-1.4.3-2.2.mga5
gstreamer1.0-plugins-base-debuginfo-1.4.3-2.2.mga5
libgstreamer-plugins-base1.0_0-1.4.3-2.2.mga5
libgstreamer-plugins-base-gir1.0-1.4.3-2.2.mga5
libgstreamer-plugins-base1.0-devel-1.4.3-2.2.mga5
gstreamer1.0-cdparanoia-1.4.3-2.2.mga5
gstreamer1.0-libvisual-1.4.3-2.2.mga5

from SRPMS:
gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm
gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm
Comment 6 PC LX 2017-08-24 13:58:01 CEST 
Installed and tested without issues.

NOTICE: Only tested the gstreamer1.0 packages.

Tested using gst-play-1.0 to play dozens of video and audio files, including local and remote (http) files, using a variety of codecs.

Have to look in to a practical way to test the gstreamer0.10 packages.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep gst.*1\.0 | sort
gstreamer1.0-libav-1.4.3-4.mga5
gstreamer1.0-plugins-bad-1.4.3-2.mga5.tainted
gstreamer1.0-plugins-base-1.4.3-2.2.mga5
gstreamer1.0-plugins-good-1.4.3-2.2.mga5
gstreamer1.0-plugins-ugly-1.4.3-2.mga5.tainted
gstreamer1.0-pulse-1.4.3-2.2.mga5
gstreamer1.0-soup-1.4.3-2.2.mga5
gstreamer1.0-tools-1.4.3-2.1.mga5
lib64gstbadbase1.0_0-1.4.3-2.mga5.tainted
lib64gstbadvideo1.0_0-1.4.3-2.mga5.tainted
lib64gstbasecamerabinsrc1.0_0-1.4.3-2.mga5.tainted
lib64gstcodecparsers1.0_0-1.4.3-2.mga5.tainted
lib64gstgl1.0_0-1.4.3-2.mga5.tainted
lib64gstmpegts1.0_0-1.4.3-2.mga5.tainted
lib64gstphotography1.0_0-1.4.3-2.mga5.tainted
lib64gstreamer1.0_0-1.4.3-2.1.mga5
lib64gstreamer1.0-devel-1.4.3-2.1.mga5
lib64gstreamer-plugins-base1.0_0-1.4.3-2.2.mga5
lib64gstreamer-plugins-base1.0-devel-1.4.3-2.2.mga5
lib64gsturidownloader1.0_0-1.4.3-2.mga5.tainted
lib64gstwayland1.0_0-1.4.3-2.mga5.tainted
lib64qtgstreamer1.0_0-1.2.0-2.mga5
lib64qtgstreamerutils1.0_0-1.2.0-2.mga5
packagekit-gstreamer-plugin-1.0.6-0.4.1.mga5

CC: (none) => mageia

Comment 7 Len Lawrence 2017-08-26 01:52:04 CEST 
@PC LX
You could try gnash for shockwave flash files.  strace shows that it opens the lib64gstreamer0.1 library.
$ strace gnash Cassini_Saturn_flyover.swf  2> gnash.trace$ cat gnash.trace | grep gstreamer
open("/usr/lib64/gnash/libgstreamer-0.10.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib64/libgstreamer-0.10.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libgstreamer-0.10.so.0.30.0", O_RDONLY) = 4

That was without updating.
lightspark uses gnash but I could not get a proper trace on that.

Oddly, gnash does not seem to be supported on mga6.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2017-08-26 01:54:53 CEST 
That should read:
$ strace gnash Cassini_Saturn_flyover.swf  2> gnash.trace
$ cat gnash.trace | grep gstreamer
Comment 9 Herman Viaene 2017-08-26 15:27:54 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
traced parole in playing .wav and mpg, and gnash to play swf.
All parole traces show:
open("/lib/libgstreamer-1.0.so.0", O_RDONLY|O_CLOEXEC) = 3
Seems OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 10 Len Lawrence 2017-08-26 21:20:22 CEST 
Making this official for the 0.10 plugins on mga5::x86_64.
$ strace gnash surfacefly_spirit.swf  2> gnash.trace

The shockwave flash video played through OK.
In the trace there were dozens of gstreamer-0.10 references and lines like this:
openat(AT_FDCWD, "/usr/lib64/gstreamer-0.10", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 7

totem uses the gstreamer1.0 plugins and plays MP4, mkv, wmv and MOV files. 

Good for 64 bits based on these tests and those of comment 6.  Thanks PC LX.
Len Lawrence 2017-08-26 21:20:45 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Lewis Smith 2017-08-26 22:18:25 CEST

Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 11 Nicolas Lécureuil 2017-08-26 23:02:39 CEST 
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm) â (5/core/gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 12 David Walser 2017-08-26 23:07:03 CEST 
(In reply to Nicolas Lécureuil from comment #11)
> Update ID assignment failed
> 
> Checking for QA validation keyword⦠  â
> Checking dependent bugs⦠             â (None found)
> Checking SRPMs⦠                      â
> (5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm) â
> (5/core/gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm) 
> 
> 
> 'validated_update' keyword reset.

I just double checked and those SRPMS names are correct.  Why did the script fail?
Comment 13 Lewis Smith 2017-08-28 20:51:26 CEST 
(In reply to Nicolas Lécureuil from comment #11)
> Update ID assignment failed
> Checking for QA validation keyword⦠  â
> Checking dependent bugs⦠             â (None found)
> Checking SRPMs⦠                      â
> (5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm) â
> (5/core/gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm) 
> 'validated_update' keyword reset.
@Nicolas
In the light of David's confirmation above - what is the problem? Is there anything I can do to be shot of this?
Comment 14 Nicolas Lécureuil 2017-08-28 21:50:11 CEST 
are .src.rpm needed in the advisory ? i doubt it

i think this should be 5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5 instead of 5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm ( and the same for the other one )
Comment 15 Lewis Smith 2017-08-29 20:52:15 CEST 
Thanks for the pointer. Of course. Basic; Advisory-drunk, I guess.
I have corrected it.
BTW In future, where the advisory is wrong, it is better to *leave* 'validated update' and *clear* 'advisory'. We are agreed to have validated updates awaiting their advisories; this removes them from the main list.

Keywords: (none) => validated_update

Comment 16 Mageia Robot 2017-08-29 22:36:59 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0320.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED