| Summary: | gstreamer1.0-plugins-bad new security issues CVE-2017-584[38] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, marja11, pterjan, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/713772/ | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | gstreamer1.0-plugins-bad-1.4.3-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 19802, 19814 | ||
|
Description
David Walser
2017-02-02 12:15:10 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs
David Walser
2017-02-07 12:08:44 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/713772/ gstreamer0.10-plugins-bad also affected: https://lwn.net/Vulnerabilities/713772/
David Walser
2017-02-21 12:27:58 CET
Assignee:
pkg-bugs =>
shlomif CVE-2016-9809, CVE-2016-9812, CVE-2016-9813 also addressed by this Debian update: https://www.debian.org/security/2017/dsa-3818 openSUSE has issued an advisory for this on April 18: https://lists.opensuse.org/opensuse-updates/2017-04/msg00059.html Note that there are core and tainted builds for these packages. The Mageia 6 tainted build isn't available yet because the build system was never fixed. Advisory (Mageia 5): ======================== Updated gstreamer0.10-plugins-bad and gstreamer1.0-plugins-bad packages fix security vulnerabilities: Chris Evans discovered that the GStreamer plugin to decode VMware screen capture files allowed the execution of arbitrary code (CVE-2016-9445, CVE-2016-9446). Chris Evans discovered that the GStreamer 0.10 plugin to decode NES Sound Format files allowed the execution of arbitrary code (CVE-2016-9447). Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813, CVE-2017-5843, CVE-2017-5848). The gstreamer0.10-plugins-bad package was affected by CVE-2016-9445, CVE-2016-9446, CVE-2016-9447, CVE-2016-9809, CVE-2017-5843, and CVE-2017-5848). The gstreamer1.0-plugins-bad package was affected by CVE-2016-9445, CVE-2016-9446, CVE-2016-9809, CVE-2016-9812, CVE-2016-9813, CVE-2017-5843, and CVE-2017-5848. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9445 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9446 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9809 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9812 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848 http://openwall.com/lists/oss-security/2016/11/18/13 https://www.debian.org/security/2016/dsa-3713 https://www.debian.org/security/2016/dsa-3717 https://www.debian.org/security/2017/dsa-3818 ======================== Updated packages in {core,tainted}/updates_testing: ======================== gstreamer0.10-plugins-bad-0.10.23-22.2.mga5 libgstphotography0.10_0-0.10.23-22.2.mga5 libgstvdp0.10_0-0.10.23-22.2.mga5 libgstphotography-devel-0.10.23-22.2.mga5 libgstbasevideo0.10_0-0.10.23-22.2.mga5 libgstbasevideo-devel-0.10.23-22.2.mga5 gstreamer0.10-curl-0.10.23-22.2.mga5 gstreamer0.10-dc1394-0.10.23-22.2.mga5 gstreamer0.10-ofa-0.10.23-22.2.mga5 gstreamer0.10-wildmidi-0.10.23-22.2.mga5 gstreamer0.10-mpeg2enc-0.10.23-22.2.mga5 gstreamer0.10-gme-0.10.23-22.2.mga5 gstreamer0.10-dirac-0.10.23-22.2.mga5 gstreamer0.10-schroedinger-0.10.23-22.2.mga5 gstreamer0.10-vp8-0.10.23-22.2.mga5 gstreamer0.10-ladspa-0.10.23-22.2.mga5 gstreamer0.10-musepack-0.10.23-22.2.mga5 gstreamer0.10-mms-0.10.23-22.2.mga5 gstreamer0.10-rtmp-0.10.23-22.2.mga5 gstreamer0.10-directfb-0.10.23-22.2.mga5 gstreamer0.10-soundtouch-0.10.23-22.2.mga5 gstreamer0.10-kate-0.10.23-22.2.mga5 gstreamer0.10-libass-0.10.23-22.2.mga5 gstreamer0.10-resindvd-0.10.23-22.2.mga5 gstreamer0.10-voip-0.10.23-22.2.mga5 gstreamer0.10-cog-0.10.23-22.2.mga5 gstreamer0.10-plugins-bad-doc-0.10.23-22.2.mga5 gstreamer0.10-plugins-bad-debuginfo-0.10.23-22.2.mga5 gstreamer0.10-vdpau-0.10.23-22.2.mga5 gstreamer0.10-gsm-0.10.23-22.2.mga5 gstreamer0.10-neon-0.10.23-22.2.mga5 gstreamer0.10-nas-0.10.23-22.2.mga5 gstreamer0.10-jp2k-0.10.23-22.2.mga5 gstreamer0.10-celt-0.10.23-22.2.mga5 gstreamer0.10-rsvg-0.10.23-22.2.mga5 gstreamer1.0-plugins-bad-1.4.3-2.1.mga5 libgstphotography1.0_0-1.4.3-2.1.mga5 libgstcodecparsers1.0_0-1.4.3-2.1.mga5 libgstbasecamerabinsrc1.0_0-1.4.3-2.1.mga5 libgstbadbase1.0_0-1.4.3-2.1.mga5 libgstbadvideo1.0_0-1.4.3-2.1.mga5 libgstgl1.0_0-1.4.3-2.1.mga5 libgstwayland1.0_0-1.4.3-2.1.mga5 libgstinsertbin1.0_0-1.4.3-2.1.mga5 libgstmpegts1.0_0-1.4.3-2.1.mga5 libgsturidownloader1.0_0-1.4.3-2.1.mga5 libgstreamer-plugins-bad1.0-devel-1.4.3-2.1.mga5 gstreamer1.0-curl-1.4.3-2.1.mga5 gstreamer1.0-mpeg2enc-1.4.3-2.1.mga5 gstreamer1.0-gme-1.4.3-2.1.mga5 gstreamer1.0-schroedinger-1.4.3-2.1.mga5 gstreamer1.0-mms-1.4.3-2.1.mga5 gstreamer1.0-rtmp-1.4.3-2.1.mga5 gstreamer1.0-soundtouch-1.4.3-2.1.mga5 gstreamer1.0-libass-1.4.3-2.1.mga5 gstreamer1.0-opencv-1.4.3-2.1.mga5 gstreamer1.0-wildmidi-1.4.3-2.1.mga5 gstreamer1.0-plugins-bad-doc-1.4.3-2.1.mga5 libgstreamer-plugins-bad-gir1.0-1.4.3-2.1.mga5 gstreamer1.0-plugins-bad-debuginfo-1.4.3-2.1.mga5 gstreamer1.0-gsm-1.4.3-2.1.mga5 gstreamer1.0-dash-1.4.3-2.1.mga5 gstreamer1.0-directfb-1.4.3-2.1.mga5 gstreamer1.0-fluidsynth-1.4.3-2.1.mga5 gstreamer1.0-ladspa-1.4.3-2.1.mga5 gstreamer1.0-neon-1.4.3-2.1.mga5 gstreamer1.0-ofa-1.4.3-2.1.mga5 gstreamer1.0-sbc-1.4.3-2.1.mga5 gstreamer1.0-smoothstreaming-1.4.3-2.1.mga5 gstreamer1.0-spandsp-1.4.3-2.1.mga5 gstreamer1.0-srtp-1.4.3-2.1.mga5 from SRPMS: gstreamer0.10-plugins-bad-0.10.23-22.2.mga5.src.rpm gstreamer1.0-plugins-bad-1.4.3-2.1.mga5.src.rpm Advisory (Mageia 6): ======================== Updated gstreamer0.10-plugins-bad packages fix security vulnerabilities: Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened (CVE-2016-9809, CVE-2017-5843, CVE-2017-5848). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9809 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848 https://www.debian.org/security/2017/dsa-3818 ======================== Updated packages in {core,tainted}/updates_testing: ======================== gstreamer0.10-plugins-bad-0.10.23-35.1.mga6 libgstphotography0.10_0-0.10.23-35.1.mga6 libgstvdp0.10_0-0.10.23-35.1.mga6 libgstphotography-devel-0.10.23-35.1.mga6 libgstbasevideo0.10_0-0.10.23-35.1.mga6 libgstbasevideo-devel-0.10.23-35.1.mga6 gstreamer0.10-curl-0.10.23-35.1.mga6 gstreamer0.10-dc1394-0.10.23-35.1.mga6 gstreamer0.10-ofa-0.10.23-35.1.mga6 gstreamer0.10-wildmidi-0.10.23-35.1.mga6 gstreamer0.10-mpeg2enc-0.10.23-35.1.mga6 gstreamer0.10-gme-0.10.23-35.1.mga6 gstreamer0.10-dirac-0.10.23-35.1.mga6 gstreamer0.10-schroedinger-0.10.23-35.1.mga6 gstreamer0.10-vp8-0.10.23-35.1.mga6 gstreamer0.10-ladspa-0.10.23-35.1.mga6 gstreamer0.10-musepack-0.10.23-35.1.mga6 gstreamer0.10-mms-0.10.23-35.1.mga6 gstreamer0.10-rtmp-0.10.23-35.1.mga6 gstreamer0.10-soundtouch-0.10.23-35.1.mga6 gstreamer0.10-kate-0.10.23-35.1.mga6 gstreamer0.10-libass-0.10.23-35.1.mga6 gstreamer0.10-resindvd-0.10.23-35.1.mga6 gstreamer0.10-voip-0.10.23-35.1.mga6 gstreamer0.10-cog-0.10.23-35.1.mga6 gstreamer0.10-plugins-bad-doc-0.10.23-35.1.mga6 gstreamer0.10-plugins-bad-debuginfo-0.10.23-35.1.mga6 gstreamer0.10-vdpau-0.10.23-35.1.mga6 gstreamer0.10-gsm-0.10.23-35.1.mga6 gstreamer0.10-neon-0.10.23-35.1.mga6 gstreamer0.10-nas-0.10.23-35.1.mga6 gstreamer0.10-jp2k-0.10.23-35.1.mga6 gstreamer0.10-celt-0.10.23-35.1.mga6 gstreamer0.10-rsvg-0.10.23-35.1.mga6 from gstreamer0.10-plugins-bad-0.10.23-35.1.mga6.src.rpm Assignee:
shlomif =>
qa-bugs Mageia 6 tainted build is building now. QA leaders, when adding the advisories in SVN, please add to the references for the Mageia 5 advisory bugs 19802, 19814, and 20238 (this bug). The advisory for Mageia 6 should only list this bug. To prioritise.
Dave Hodgins
2017-12-31 11:35:14 CET
Keywords:
(none) =>
advisory Tested using radiotray and parole, first without tainted (had to turn off XV in parole), then with the tainted versions. Ok for Mageia 5. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-32-OK MGA5-64-OK Same testing with Mageia 6 ok. Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0012.html Resolution:
(none) =>
FIXED An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0013.html |