Bug 20239

Summary: gstreamer1.0-plugins-ugly new security issues CVE-2017-584[67]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, marja11, pkg-bugs, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/713775/
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
Source RPM: gstreamer1.0-plugins-ugly-1.4.3-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-02-02 12:15:13 CET 
CVEs have been assigned for several security issues fixed in gstreamer 1.10.3:
http://openwall.com/lists/oss-security/2017/02/02/9

Two of those affect plugins-ugly.  The second one actually wasn't fixed in 1.10.3, but a fix has been committed for it since.

Mageia 5 may also be affected by these.
Comment 1 Marja Van Waes 2017-02-02 16:05:33 CET 
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => fundawang

David Walser 2017-02-07 12:10:38 CET

URL: (none) => https://lwn.net/Vulnerabilities/713775/

Comment 2 David Walser 2017-02-21 12:16:26 CET 
gstreamer0.10-plugins-ugly also affected:
https://lwn.net/Vulnerabilities/713775/
David Walser 2017-02-21 12:28:01 CET

Assignee: fundawang => shlomif

Comment 3 David Walser 2017-12-28 00:27:22 CET 
Note that there are core and tainted builds for these packages.  The Mageia 6 tainted build isn't available yet because the build system was never fixed.

Advisory (Mageia 5):
========================

Updated gstreamer0.10-plugins-ugly and gstreamer1.0-plugins-ugly packages fix security vulnerabilities:

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of service
or the execution of arbitrary code if a malformed media file is opened
(CVE-2017-5846, CVE-2017-5847).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847
https://lwn.net/Alerts/714998/
https://www.debian.org/security/2017/dsa-3821
========================

Updated packages in {core,tainted}/updates_testing:
========================
gstreamer0.10-plugins-ugly-0.10.19-14.2.mga5
gstreamer0.10-plugins-ugly-debuginfo-0.10.19-14.2.mga5
gstreamer0.10-sid-0.10.19-14.2.mga5
gstreamer0.10-a52dec-0.10.19-14.2.mga5
gstreamer0.10-mpeg-0.10.19-14.2.mga5
gstreamer0.10-cdio-0.10.19-14.2.mga5
gstreamer0.10-twolame-0.10.19-14.2.mga5
gstreamer1.0-plugins-ugly-1.4.3-2.1.mga5
gstreamer1.0-plugins-ugly-debuginfo-1.4.3-2.1.mga5
gstreamer1.0-sid-1.4.3-2.1.mga5
gstreamer1.0-a52dec-1.4.3-2.1.mga5
gstreamer1.0-mpeg-1.4.3-2.1.mga5
gstreamer1.0-cdio-1.4.3-2.1.mga5

from SRPMS:
gstreamer0.10-plugins-ugly-0.10.19-14.2.mga5.src.rpm
gstreamer1.0-plugins-ugly-1.4.3-2.1.mga5.src.rpm


Advisory (Mageia 6):
========================

Updated gstreamer0.10-plugins-ugly packages fix security vulnerabilities:

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of service
or the execution of arbitrary code if a malformed media file is opened
(CVE-2017-5846, CVE-2017-5847).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847
https://lwn.net/Alerts/714998/
https://www.debian.org/security/2017/dsa-3821
========================

Updated packages in {core,tainted}/updates_testing:
========================
gstreamer0.10-plugins-ugly-0.10.19-18.1.mga6
gstreamer0.10-plugins-ugly-debuginfo-0.10.19-18.1.mga6
gstreamer0.10-lame-0.10.19-18.1.mga6
gstreamer0.10-sid-0.10.19-18.1.mga6
gstreamer0.10-a52dec-0.10.19-18.1.mga6
gstreamer0.10-mpeg-0.10.19-18.1.mga6
gstreamer0.10-cdio-0.10.19-18.1.mga6
gstreamer0.10-twolame-0.10.19-18.1.mga

from gstreamer0.10-plugins-ugly-0.10.19-18.1.mga6.src.rpm

Version: 5 => 6
Whiteboard: (none) => MGA5TOO
Assignee: shlomif => qa-bugs

Comment 4 David Walser 2017-12-28 00:29:15 CET 
The tainted builds should be on their way shortly.
Comment 5 Lewis Smith 2017-12-30 11:59:37 CET 
To prioritise.
Dave Hodgins 2017-12-31 11:52:01 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Dave Hodgins 2018-01-01 13:36:08 CET 
Tested using radiotray and parole, first without tainted (had to turn off XV in
parole), then with the tainted versions.

Ok for Mageia 5.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK MGA5-64-OK

Comment 7 Dave Hodgins 2018-01-01 13:58:02 CET 
Ok on m6. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-01-01 16:51:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0014.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 Mageia Robot 2018-01-01 16:51:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0015.html