Bug 28977

Summary: gstreamer1.0-plugins-base, gstreamer1.0-plugins-bad new security issues fixed upstream in 1.18.4 (including CVE-2021-3522)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, jani.valimaa, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=29144
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: gstreamer1.0-plugins-base-1.18.3-1.mga8.src.rpm, gstreamer1.0-plugins-bad-1.18.3-1.mga8.src.rpm CVE: CVE-2021-3522
Status comment:

Description David Walser 2021-05-28 00:09:08 CEST 
+++ This bug was initially created as a clone of Bug #28685 +++

Several issues are fixed upstream in 1.18.4:
https://gstreamer.freedesktop.org/releases/1.18/#1.18.4

Debian has issued advisories on April 24:
https://www.debian.org/security/2021/dsa-4903
https://www.debian.org/security/2021/dsa-4902

Including fixes for base and bad, which we didn't update in Bug 28685, as they weren't listed in upstream's advisory.  Perhaps there were fixes that we missed.
David Walser 2021-05-28 00:09:34 CEST

Whiteboard: (none) => MGA7TOO
Source RPM: gstreamer1.0-plugins-good-1.18.3-1.mga8.src.rpm, gstreamer1.0-plugins-ugly-1.18.3-1.mga8.src.rpm, gstreamer1.0-libav-1.18.3-1.mga8.src.rpm => gstreamer1.0-plugins-base-1.18.3-1.mga8.src.rpm, gstreamer1.0-plugins-bad-1.18.3-1.mga8.src.rpm

Comment 1 David Walser 2021-05-28 21:34:01 CEST 
Yes, CVE-2021-3522 was fixed in gstreamer1.0-plugins-base 1.18.4:
https://ubuntu.com/security/notices/USN-4959-1

Summary: gstreamer1.0-plugins-base, gstreamer1.0-plugins-bad possible new security issues fixed upstream in 1.18.4 => gstreamer1.0-plugins-base, gstreamer1.0-plugins-bad new security issues fixed upstream in 1.18.4 (including CVE-2021-3522)
Severity: normal => major

Comment 2 Lewis Smith 2021-06-02 21:07:25 CEST 
We have version 1.18.4 in Cauldron.

In the light of no registered maintainer, and given the many CVE updates in progress, Jani will excuse me for assigning this bug to him - who has committed all newest versions, and is already CC'd.

CC: jani.valimaa => (none)
Assignee: bugsquad => jani.valimaa

Comment 3 David Walser 2021-06-16 19:40:05 CEST 
Fedora has issued an advisory today (June 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FIELJQTRGQZGHBEJDQ7CJYI4DFNWMP74/

It backports a couple more security fixes for plugins-bad.

Summary: gstreamer1.0-plugins-base, gstreamer1.0-plugins-bad new security issues fixed upstream in 1.18.4 (including CVE-2021-3522) => gstreamer1.0-plugins-base, gstreamer1.0-plugins-bad new security issues fixed upstream in 1.18.4 (including CVE-2021-3522 and CVE-2021-3047[35])

David Walser 2021-06-16 19:42:44 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29144

Comment 4 David Walser 2021-06-16 19:43:13 CEST 
(In reply to David Walser from comment #3)
> Fedora has issued an advisory today (June 16):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/FIELJQTRGQZGHBEJDQ7CJYI4DFNWMP74/
> 
> It backports a couple more security fixes for plugins-bad.

Those CVEs are in dynamically linked libaom (see Bug 29144).

Summary: gstreamer1.0-plugins-base, gstreamer1.0-plugins-bad new security issues fixed upstream in 1.18.4 (including CVE-2021-3522 and CVE-2021-3047[35]) => gstreamer1.0-plugins-base, gstreamer1.0-plugins-bad new security issues fixed upstream in 1.18.4 (including CVE-2021-3522)

Comment 5 David Walser 2021-06-27 22:25:40 CEST 
Note that gstreamer1.0-plugins-bad is in core and tainted.

Updated packages in core/updates_testing:
========================
gstreamer1.0-plugins-base-1.16.0-2.1.mga7
libgstreamer-plugins-base1.0_0-1.16.0-2.1.mga7
libgstreamer-plugins-base-gir1.0-1.16.0-2.1.mga7
libgstgl-gir1.0-1.16.0-2.1.mga7
libgstreamer-plugins-base1.0-devel-1.16.0-2.1.mga7
gstreamer1.0-cdparanoia-1.16.0-2.1.mga7
gstreamer1.0-libvisual-1.16.0-2.1.mga7
libgstgl1.0_0-1.16.0-2.1.mga7
gstreamer1.0-plugins-base-1.18.3-1.1.mga8
libgstreamer-plugins-base1.0_0-1.18.3-1.1.mga8
libgstreamer-plugins-base1.0-devel-1.18.3-1.1.mga8
libgstgl1.0_0-1.18.3-1.1.mga8
libgstreamer-plugins-base-gir1.0-1.18.3-1.1.mga8
gstreamer1.0-cdparanoia-1.18.3-1.1.mga8
libgstgl-gir1.0-1.18.3-1.1.mga8
gstreamer1.0-libvisual-1.18.3-1.1.mga8

Updated packages in {core,tainted}/updates_testing:
========================
gstreamer1.0-plugins-bad-1.16.0-1.2.mga7
libgstphotography1.0_0-1.16.0-1.2.mga7
libgstcodecparsers1.0_0-1.16.0-1.2.mga7
libgstbasecamerabinsrc1.0_0-1.16.0-1.2.mga7
libgstbadaudio1.0_0-1.16.0-1.2.mga7
libgstplayer1.0_0-1.16.0-1.2.mga7
libgstwayland1.0_0-1.16.0-1.2.mga7
libgstinsertbin1.0_0-1.16.0-1.2.mga7
libgstmpegts1.0_0-1.16.0-1.2.mga7
libgsturidownloader1.0_0-1.16.0-1.2.mga7
libgstisoff1.0_0-1.16.0-1.2.mga7
libgstwebrtc1.0_0-1.16.0-1.2.mga7
libgstsctp1.0_0-1.16.0-1.2.mga7
libgstreamer-plugins-bad1.0-devel-1.16.0-1.2.mga7
gstreamer1.0-curl-1.16.0-1.2.mga7
gstreamer1.0-mpeg2enc-1.16.0-1.2.mga7
gstreamer1.0-gme-1.16.0-1.2.mga7
gstreamer1.0-mms-1.16.0-1.2.mga7
gstreamer1.0-rtmp-1.16.0-1.2.mga7
gstreamer1.0-soundtouch-1.16.0-1.2.mga7
gstreamer1.0-libass-1.16.0-1.2.mga7
gstreamer1.0-wildmidi-1.16.0-1.2.mga7
gstreamer1.0-plugins-bad-doc-1.16.0-1.2.mga7
libgstreamer-plugins-bad-gir1.0-1.16.0-1.2.mga7
libgstplayer-gir1.0-1.16.0-1.2.mga7
libgstwebrtc-gir1.0-1.16.0-1.2.mga7
gstreamer1.0-gsm-1.16.0-1.2.mga7
gstreamer1.0-dash-1.16.0-1.2.mga7
gstreamer1.0-fluidsynth-1.16.0-1.2.mga7
gstreamer1.0-ladspa-1.16.0-1.2.mga7
gstreamer1.0-neon-1.16.0-1.2.mga7
gstreamer1.0-ofa-1.16.0-1.2.mga7
gstreamer1.0-sbc-1.16.0-1.2.mga7
gstreamer1.0-smoothstreaming-1.16.0-1.2.mga7
gstreamer1.0-spandsp-1.16.0-1.2.mga7
gstreamer1.0-srtp-1.16.0-1.2.mga7
libgstreamer-plugins-bad1.0-devel-1.18.3-1.1.mga8
libgstcodecparsers1.0_0-1.18.3-1.1.mga8
gstreamer1.0-dash-1.18.3-1.1.mga8
gstreamer1.0-plugins-bad-1.18.3-1.1.mga8
libgstplayer1.0_0-1.18.3-1.1.mga8
libgstmpegts1.0_0-1.18.3-1.1.mga8
gstreamer1.0-curl-1.18.3-1.1.mga8
libgstcodecs1.0_0-1.18.3-1.1.mga8
gstreamer1.0-mpeg2enc-1.18.3-1.1.mga8
gstreamer1.0-transcoder-1.18.3-1.1.mga8
libgstbadaudio1.0_0-1.18.3-1.1.mga8
gstreamer1.0-srtp-1.18.3-1.1.mga8
libgirgstmpegts-gir1.0-1.18.3-1.1.mga8
gstreamer1.0-ladspa-1.18.3-1.1.mga8
gstreamer1.0-smoothstreaming-1.18.3-1.1.mga8
gstreamer1.0-libass-1.18.3-1.1.mga8
libgstwebrtc1.0_0-1.18.3-1.1.mga8
libgsttranscoder1.0_0-1.18.3-1.1.mga8
libgsttranscoder-devel-1.18.3-1.1.mga8
gstreamer1.0-soundtouch-1.18.3-1.1.mga8
gstreamer1.0-rtmp-1.18.3-1.1.mga8
gstreamer1.0-neon-1.18.3-1.1.mga8
libgstbasecamerabinsrc1.0_0-1.18.3-1.1.mga8
libgstphotography1.0_0-1.18.3-1.1.mga8
gstreamer1.0-mms-1.18.3-1.1.mga8
gstreamer1.0-fluidsynth-1.18.3-1.1.mga8
libgsturidownloader1.0_0-1.18.3-1.1.mga8
libgstinsertbin1.0_0-1.18.3-1.1.mga8
gstreamer1.0-sbc-1.18.3-1.1.mga8
gstreamer1.0-gme-1.18.3-1.1.mga8
gstreamer1.0-gsm-1.18.3-1.1.mga8
libgstisoff1.0_0-1.18.3-1.1.mga8
gstreamer1.0-wildmidi-1.18.3-1.1.mga8
libgstplayer-gir1.0-1.18.3-1.1.mga8
libgstwebrtc-gir1.0-1.18.3-1.1.mga8
gstreamer1.0-ofa-1.18.3-1.1.mga8
libgstsctp1.0_0-1.18.3-1.1.mga8
libgstwayland1.0_0-1.18.3-1.1.mga8
libgstbadaudio-gir1.0-1.18.3-1.1.mga8
libgstcodecs-gir1.0-1.18.3-1.1.mga8
libgsttranscoder-gir1.0-1.18.3-1.1.mga8
libgirinsertbin-git1.0-1.18.3-1.1.mga8

from SRPMS:
gstreamer1.0-plugins-base-1.16.0-2.1.mga7.src.rpm
gstreamer1.0-plugins-bad-1.16.0-1.2.mga7.src.rpm
gstreamer1.0-plugins-base-1.18.3-1.1.mga8.src.rpm
gstreamer1.0-plugins-bad-1.18.3-1.1.mga8.src.rpm

Assignee: jani.valimaa => qa-bugs
CC: (none) => jani.valimaa

Comment 6 David Walser 2021-06-27 22:28:38 CEST 
Advisory:
========================

Updated gstreamer1.0-plugins-base and gstreamer1.0-plugins bad packages fix security vulnerabilities:

GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain
ID3v2 tags (CVE-2021-3522).

Overflows in AVC/HEVC NAL unit length calculations, which would lead to
allocating infinite amounts of small memory blocks until OOM and could
potentially also lead to memory corruptions.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3522
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2103
https://www.debian.org/security/2021/dsa-4903
https://www.debian.org/security/2021/dsa-4902
https://ubuntu.com/security/notices/USN-4959-1
Comment 7 PC LX 2021-06-28 18:45:49 CEST 
Installed and tested without issues.


Tested using the totem player on a large variety of files. No regressions.



System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.



$ uname -a
Linux marte 5.10.45-desktop-2.mga7 #1 SMP Sat Jun 19 15:58:30 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep gst | sort
gstreamer1.0-a52dec-1.16.0-1.1.mga7.tainted
gstreamer1.0-amrnb-1.16.0-1.1.mga7.tainted
gstreamer1.0-cdio-1.16.0-1.1.mga7.tainted
gstreamer1.0-cdparanoia-1.16.0-2.1.mga7
gstreamer1.0-dv-1.16.0-1.1.mga7
gstreamer1.0-faad-1.16.0-1.2.mga7.tainted
gstreamer1.0-farstream-0.2.8-2.mga7
gstreamer1.0-flac-1.16.0-1.1.mga7
gstreamer1.0-gme-1.16.0-1.2.mga7.tainted
gstreamer1.0-gsm-1.16.0-1.2.mga7.tainted
gstreamer1.0-gstclutter3-3.0.27-1.mga7
gstreamer1.0-lame-1.16.0-1.1.mga7
gstreamer1.0-libav-1.16.0-1.1.mga7
gstreamer1.0-mms-1.16.0-1.2.mga7.tainted
gstreamer1.0-mpeg-1.16.0-1.1.mga7.tainted
gstreamer1.0-neon-1.16.0-1.2.mga7.tainted
gstreamer1.0-ofa-1.16.0-1.2.mga7.tainted
gstreamer1.0-plugins-bad-1.16.0-1.2.mga7.tainted
gstreamer1.0-plugins-base-1.16.0-2.1.mga7
gstreamer1.0-plugins-good-1.16.0-1.1.mga7
gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7.tainted
gstreamer1.0-pulse-1.16.0-1.1.mga7
gstreamer1.0-rtmp-1.16.0-1.2.mga7.tainted
gstreamer1.0-soundtouch-1.16.0-1.2.mga7.tainted
gstreamer1.0-soup-1.16.0-1.1.mga7
gstreamer1.0-speex-1.16.0-1.1.mga7
gstreamer1.0-tools-1.16.0-2.mga7
gstreamer1.0-twolame-1.16.0-1.1.mga7
gstreamer1.0-wavpack-1.16.0-1.1.mga7
gstreamer1.0-x264-1.16.0-1.1.mga7.tainted
gstreamer1.0-x265-1.16.0-1.2.mga7.tainted
lib64clutter-gst3.0_0-3.0.27-1.mga7
lib64gstbadaudio1.0_0-1.16.0-1.2.mga7.tainted
lib64gstbasecamerabinsrc1.0_0-1.16.0-1.2.mga7.tainted
lib64gstcodecparsers1.0_0-1.16.0-1.2.mga7.tainted
lib64gst-gir1.0-1.16.0-2.mga7
lib64gstgl1.0_0-1.16.0-2.1.mga7
lib64gstmpegts1.0_0-1.16.0-1.2.mga7.tainted
lib64gstphotography1.0_0-1.16.0-1.2.mga7.tainted
lib64gstreamer1.0_0-1.16.0-2.mga7
lib64gstreamer-plugins-base1.0_0-1.16.0-2.1.mga7
lib64gstsctp1.0_0-1.16.0-1.2.mga7.tainted
lib64gsturidownloader1.0_0-1.16.0-1.2.mga7.tainted
lib64gstwayland1.0_0-1.16.0-1.2.mga7.tainted
lib64gstwebrtc1.0_0-1.16.0-1.2.mga7.tainted
lib64qt5gstreamer1.0_0-1.2.0-8.mga7
lib64qt5gstreamerquick1.0_0-1.2.0-8.mga7
lib64qt5multimediagsttools5-5.12.6-1.mga7
libgstreamer1.0_0-1.16.0-2.mga7
libgstreamer-plugins-base1.0_0-1.16.0-2.1.mga7
phonon4qt5-gstreamer-4.9.0-6.mga7
phonon-gstreamer-common-4.9.0-6.mga7
qt5-gstreamer-1.2.0-8.mga7

CC: (none) => mageia

Comment 8 PC LX 2021-06-29 12:39:12 CEST 
Since the end-of-support for Mageia 7 is approaching, I'm giving this update an OK for x86_64 based on comment 7.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 9 David Walser 2021-07-08 23:37:24 CEST 
Tested the PoC for CVE-2021-3522 from here:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876

Before:
$ gst-play-1.0 --verbose --volume=0.0 https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/uploads/086d01c9b66ffe1b9f1cd542708d184a/seg.mp3
Volume: 0%                  
Press 'k' to see a list of keyboard shortcuts.
Now playing https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/uploads/086d01c9b66ffe1b9f1cd542708d184a/seg.mp3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: ring-buffer-max-size = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: buffer-size = -1
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: buffer-duration = -1
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: force-sw-decoders = false
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: use-buffering = false
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: download = false
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: uri = https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/uploads/086d01c9b66ffe1b9f1cd542708d184a/seg.mp3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: connection-speed = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: source = "\(GstSoupHTTPSrc\)\ source"
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstTypeFindElement:typefindelement0.GstPad:src: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind: force-caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0: sink-caps = application/x-id3

/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0.GstPad:sink: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0.GstPad:src: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0.GstGhostPad:sink.GstProxyPad:proxypad0: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind.GstPad:src: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstID3Demux:id3demux0.GstPad:sink: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind.GstPad:sink: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0.GstGhostPad:sink: caps = application/x-id3
Segmentation fault (core dumped)

After:
$ gst-play-1.0 --verbose --volume=0.0 https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/uploads/086d01c9b66ffe1b9f1cd542708d184a/seg.mp3
Volume: 0%                  
Press 'k' to see a list of keyboard shortcuts.
Now playing https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/uploads/086d01c9b66ffe1b9f1cd542708d184a/seg.mp3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: ring-buffer-max-size = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: buffer-size = -1
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: buffer-duration = -1
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: force-sw-decoders = false
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: use-buffering = false
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: download = false
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: uri = https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/uploads/086d01c9b66ffe1b9f1cd542708d184a/seg.mp3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: connection-speed = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0: source = "\(GstSoupHTTPSrc\)\ source"
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstTypeFindElement:typefindelement0.GstPad:src: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind: force-caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0: sink-caps = application/x-id3

/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0.GstPad:sink: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0: bitrate = 0
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstQueue2:queue2-0.GstPad:src: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0.GstGhostPad:sink.GstProxyPad:proxypad0: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind.GstPad:src: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstID3Demux:id3demux0.GstPad:sink: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstTypeFindElement:typefind.GstPad:sink: caps = application/x-id3
/GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0.GstGhostPad:sink: caps = application/x-id3
ERROR Could not determine type of stream. for https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/uploads/086d01c9b66ffe1b9f1cd542708d184a/seg.mp3
ERROR debug information: ../gst-libs/gst/tag/gsttagdemux.c(762): gst_tag_demux_sink_event (): /GstPlayBin:playbin/GstURIDecodeBin:uridecodebin0/GstDecodeBin:decodebin0/GstID3Demux:id3demux0
Reached end of play list.

So that successfully demonstrates the issue and the fix!  That takes care of gstreamer1.0-plugins-base (Mageia 8 x86_64).

For gstreamer1.0-plugins-bad, you'd need to test a player using gstreamer1.0-x264 or gstreamer1.0-x265 with an appropriate file.
Comment 10 Thomas Andrews 2021-07-10 15:44:42 CEST 
Test system: i5-2500, Intel graphics, 64-bit Plasma system. Went to install totem, but that wanted to add a bunch of gnome stuff I didn't want on this system, so I installed parole instead.

No installation issues with either core or tainted versions. Tested core firts, then updated to tainted.

"For gstreamer1.0-plugins-bad, you'd need to test a player using gstreamer1.0-x264 or gstreamer1.0-x265 with an appropriate file."

Tested more than one of those that had been produced by Handbrake, as well as some videos that used other codecs, with both core and tainted versions, and all played just fine. Also played a couple of audio files with Clementine.

Looks good to go. Validating. Advisory in Comment 6.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Aurelien Oudelet 2021-07-10 17:01:29 CEST 
type: security
subject: Updated gstreamer1.0-plugins-base and gstreamer1.0-plugins-bad packages
fix security vulnerabilities
CVE:
 - CVE-2021-3522
src:
  7:
   core:
     - gstreamer1.0-plugins-base-1.16.0-2.1.mga7
     - gstreamer1.0-plugins-bad-1.16.0-1.2.mga7
   tainted:
     - gstreamer1.0-plugins-base-1.16.0-2.1.mga7.tainted
     - gstreamer1.0-plugins-bad-1.16.0-1.2.mga7.tainted
  8:
   core:
     - gstreamer1.0-plugins-base-1.18.3-1.1.mga8
     - gstreamer1.0-plugins-bad-1.18.3-1.1.mga8
   tainted:
     - gstreamer1.0-plugins-base-1.18.3-1.1.mga8.tainted
     - gstreamer1.0-plugins-bad-1.18.3-1.1.mga8.tainted
description: |
  GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain
  ID3v2 tags (CVE-2021-3522).
  
  Overflows in AVC/HEVC NAL unit length calculations, which would lead to
  allocating infinite amounts of small memory blocks until OOM and could
  potentially also lead to memory corruptions.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28977
 - https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2103
 - https://www.debian.org/security/2021/dsa-4903
 - https://www.debian.org/security/2021/dsa-4902
 - https://ubuntu.com/security/notices/USN-4959-1

CVE: (none) => CVE-2021-3522
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 12 David Walser 2021-07-10 17:05:29 CEST 
Advisory is wrong, base is not in tainted.
David Walser 2021-07-10 17:06:30 CEST

Keywords: advisory => (none)

Comment 13 Aurelien Oudelet 2021-07-10 18:12:09 CEST 
(In reply to David Walser from comment #12)
> Advisory is wrong, base is not in tainted.

Corrected.

type: security
subject: Updated gstreamer1.0-plugins-base and gstreamer1.0-plugins-bad packages
  fix security vulnerabilities
CVE:
 - CVE-2021-3522
src:
  7:
   core:
     - gstreamer1.0-plugins-base-1.16.0-2.1.mga7
     - gstreamer1.0-plugins-bad-1.16.0-1.2.mga7
   tainted:
     - gstreamer1.0-plugins-bad-1.16.0-1.2.mga7.tainted
  8:
   core:
     - gstreamer1.0-plugins-base-1.18.3-1.1.mga8
     - gstreamer1.0-plugins-bad-1.18.3-1.1.mga8
   tainted:
     - gstreamer1.0-plugins-bad-1.18.3-1.1.mga8.tainted
description: |
  GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain
  ID3v2 tags (CVE-2021-3522).
  
  Overflows in AVC/HEVC NAL unit length calculations, which would lead to
  allocating infinite amounts of small memory blocks until OOM and could
  potentially also lead to memory corruptions.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28977
 - https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2103
 - https://www.debian.org/security/2021/dsa-4903
 - https://www.debian.org/security/2021/dsa-4902
 - https://ubuntu.com/security/notices/USN-4959-1

Keywords: (none) => advisory

Comment 14 Mageia Robot 2021-07-10 22:01:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0334.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED