| Summary: | gstreamer1.0-plugins-good (CVE-2021-349[78]), gstreamer1.0-plugins-ugly, gstreamer1.0-libav new security issues fixed upstream in 1.18.4 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | guillaume.royer, jani.valimaa, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | gstreamer1.0-plugins-good-1.18.3-1.mga8.src.rpm, gstreamer1.0-plugins-ugly-1.18.3-1.mga8.src.rpm, gstreamer1.0-libav-1.18.3-1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2021-03-31 00:29:54 CEST
David Walser
2021-03-31 00:30:04 CEST
Whiteboard:
(none) =>
MGA7TOO Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it) Assignee:
bugsquad =>
pkg-bugs Patched mga8 pkgs are available for tests in core/updates_testing: gstreamer1.0-plugins-good-1.18.3-1.2.mga8 gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8 gstreamer1.0-libav-1.18.3-1.1.mga8 And in tainted/updates_testing: gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8 Comment 2 was SRPMS, here are RPMs. Mageia 7 still pending. Core: gstreamer1.0-plugins-good-1.18.3-1.2.mga8 gstreamer1.0-pulse-1.18.3-1.2.mga8 gstreamer1.0-vp8-1.18.3-1.2.mga8 gstreamer1.0-soup-1.18.3-1.2.mga8 gstreamer1.0-flac-1.18.3-1.2.mga8 gstreamer1.0-dv-1.18.3-1.2.mga8 gstreamer1.0-jack-1.18.3-1.2.mga8 gstreamer1.0-raw1394-1.18.3-1.2.mga8 gstreamer1.0-speex-1.18.3-1.2.mga8 gstreamer1.0-wavpack-1.18.3-1.2.mga8 gstreamer1.0-aalib-1.18.3-1.2.mga8 gstreamer1.0-twolame-1.18.3-1.2.mga8 gstreamer1.0-lame-1.18.3-1.2.mga8 gstreamer1.0-caca-1.18.3-1.2.mga8 gstreamer1.0-libav-1.18.3-1.1.mga8 Core and Tainted: gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8 gstreamer1.0-sid-1.18.3-1.1.mga8 gstreamer1.0-mpeg-1.18.3-1.1.mga8 gstreamer1.0-a52dec-1.18.3-1.1.mga8 gstreamer1.0-cdio-1.18.3-1.1.mga8 Mageia 7 pkgs. Core: gstreamer1.0-plugins-good-1.16.0-1.1.mga7 gstreamer1.0-jack-1.16.0-1.1.mga7 gstreamer1.0-soup-1.16.0-1.1.mga7 gstreamer1.0-pulse-1.16.0-1.1.mga7 gstreamer1.0-dv-1.16.0-1.1.mga7 gstreamer1.0-speex-1.16.0-1.1.mga7 gstreamer1.0-raw1394-1.16.0-1.1.mga7 gstreamer1.0-flac-1.16.0-1.1.mga7 gstreamer1.0-aalib-1.16.0-1.1.mga7 gstreamer1.0-caca-1.16.0-1.1.mga7 gstreamer1.0-vp8-1.16.0-1.1.mga7 gstreamer1.0-wavpack-1.16.0-1.1.mga7 gstreamer1.0-lame-1.16.0-1.1.mga7 gstreamer1.0-twolame-1.16.0-1.1.mga7 gstreamer1.0-libav-1.16.0-1.1.mga7 Core and Tainted: gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7 gstreamer1.0-sid-1.16.0-1.1.mga7 gstreamer1.0-a52dec-1.16.0-1.1.mga7 gstreamer1.0-mpeg-1.16.0-1.1.mga7 gstreamer1.0-cdio-1.16.0-1.1.mga7
David Walser
2021-04-10 01:16:36 CEST
Assignee:
pkg-bugs =>
qa-bugs MGA 7 VM Gnome Updated with QA repo. No issues at installation. Listen webradio "La Grosse Radio" with VLC OK CC:
(none) =>
guillaume.royer MGA 8 Xfce Updated with QA repo. No issues at installation. Listen webradio "La Grosse Radio" and MP3 with "Parole" OK Updating to latest gstreamer RPMs, core and tainted. Firefox plays .mp3 and all medias OK. Note that Plasma/DE seems to use gstreamer as backend for phonon, the multimedia system. $ rpm -qa | grep phonon lib64phonon4qt5_4-4.11.1-2.mga8 lib64phonon4qt5experimental4-4.11.1-2.mga8 phonon4qt5-gstreamer-4.10.0-2.mga8 phonon4qt5-4.11.1-2.mga8 phonon-gstreamer-common-4.10.0-2.mga8 As long as multimedia is OK on all my Plasma app, Give this an OK. Advisory: ======================== Updated gstreamer packages fix security vulnerabilities: GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files (SA-2021-0002). GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files (SA-2021-0003). GStreamer before 1.18.4 might do an out-of-bounds read when handling certain RealMedia files or streams (SA-2021-0004). GStreamer before 1.18.4 might cause stack corruptions with streams that have more than 64 audio channels (SA-2021-0005). It might be possible for a malicious third party to trigger a crash in the application, but possibly also an arbitrary code execution with the privileges of the target user. References: https://gstreamer.freedesktop.org/security/sa-2021-0002.html https://gstreamer.freedesktop.org/security/sa-2021-0003.html https://gstreamer.freedesktop.org/security/sa-2021-0004.html https://gstreamer.freedesktop.org/security/sa-2021-0005.html https://gstreamer.freedesktop.org/releases/1.18/#1.18.4 ======================== Updated packages from 7/core/updates_testing ======================== gstreamer1.0-a52dec-1.16.0-1.1.mga7 gstreamer1.0-aalib-1.16.0-1.1.mga7 gstreamer1.0-caca-1.16.0-1.1.mga7 gstreamer1.0-cdio-1.16.0-1.1.mga7 gstreamer1.0-dv-1.16.0-1.1.mga7 gstreamer1.0-flac-1.16.0-1.1.mga7 gstreamer1.0-jack-1.16.0-1.1.mga7 gstreamer1.0-lame-1.16.0-1.1.mga7 gstreamer1.0-libav-1.16.0-1.1.mga7 gstreamer1.0-mpeg-1.16.0-1.1.mga7 gstreamer1.0-plugins-good-1.16.0-1.1.mga7 gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7 gstreamer1.0-pulse-1.16.0-1.1.mga7 gstreamer1.0-raw1394-1.16.0-1.1.mga7 gstreamer1.0-sid-1.16.0-1.1.mga7 gstreamer1.0-soup-1.16.0-1.1.mga7 gstreamer1.0-speex-1.16.0-1.1.mga7 gstreamer1.0-twolame-1.16.0-1.1.mga7 gstreamer1.0-vp8-1.16.0-1.1.mga7 gstreamer1.0-wavpack-1.16.0-1.1.mga7 from SRPM ======================== gstreamer1.0-libav-1.16.0-1.1.mga7 gstreamer1.0-plugins-good-1.16.0-1.1.mga7 gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7 Updated packages from 7/tainted/updates_testing ======================== gstreamer1.0-a52dec-1.16.0-1.1.mga7.tainted gstreamer1.0-amrnb-1.16.0-1.1.mga7.tainted gstreamer1.0-amrwbdec-1.16.0-1.1.mga7.tainted gstreamer1.0-cdio-1.16.0-1.1.mga7.tainted gstreamer1.0-mpeg-1.16.0-1.1.mga7.tainted gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7.tainted gstreamer1.0-sid-1.16.0-1.1.mga7.tainted gstreamer1.0-x264-1.16.0-1.1.mga7.tainted from SRPM ======================== gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7.tainted Updated packages from 8/core/updates_testing ======================== gstreamer1.0-a52dec-1.18.3-1.1.mga8 gstreamer1.0-aalib-1.18.3-1.2.mga8 gstreamer1.0-caca-1.18.3-1.2.mga8 gstreamer1.0-cdio-1.18.3-1.1.mga8 gstreamer1.0-dv-1.18.3-1.2.mga8 gstreamer1.0-flac-1.18.3-1.2.mga8 gstreamer1.0-jack-1.18.3-1.2.mga8 gstreamer1.0-lame-1.18.3-1.2.mga8 gstreamer1.0-libav-1.18.3-1.1.mga8 gstreamer1.0-mpeg-1.18.3-1.1.mga8 gstreamer1.0-plugins-good-1.18.3-1.2.mga8 gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8 gstreamer1.0-pulse-1.18.3-1.2.mga8 gstreamer1.0-raw1394-1.18.3-1.2.mga8 gstreamer1.0-sid-1.18.3-1.1.mga8 gstreamer1.0-soup-1.18.3-1.2.mga8 gstreamer1.0-speex-1.18.3-1.2.mga8 gstreamer1.0-twolame-1.18.3-1.2.mga8 gstreamer1.0-vp8-1.18.3-1.2.mga8 gstreamer1.0-wavpack-1.18.3-1.2.mga8 from SRPM ======================== gstreamer1.0-libav-1.18.3-1.1.mga8 gstreamer1.0-plugins-good-1.18.3-1.2.mga8 gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8 Updated packages from 8/tainted/updates_testing ======================== gstreamer1.0-a52dec-1.18.3-1.1.mga8.tainted gstreamer1.0-amrnb-1.18.3-1.1.mga8.tainted gstreamer1.0-amrwbdec-1.18.3-1.1.mga8.tainted gstreamer1.0-cdio-1.18.3-1.1.mga8.tainted gstreamer1.0-mpeg-1.18.3-1.1.mga8.tainted gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8.tainted gstreamer1.0-sid-1.18.3-1.1.mga8.tainted gstreamer1.0-x264-1.18.3-1.1.mga8.tainted from SRPM ======================== gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8.tainted Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0187.html Status:
NEW =>
RESOLVED CVE-2021-3497, CVE-2021-3498 were assigned for gstreamer1.0-plugins-good: https://www.debian.org/security/2021/dsa-4900 Summary:
gstreamer1.0-plugins-good, gstreamer1.0-plugins-ugly, gstreamer1.0-libav new security issues fixed upstream in 1.18.4 =>
gstreamer1.0-plugins-good (CVE-2021-349[78]), gstreamer1.0-plugins-ugly, gstreamer1.0-libav new security issues fixed upstream in 1.18.4 |