Bug 29423

Summary: grilo new security issue CVE-2021-39365
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, jani.valimaa, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: grilo-0.3.13-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-08-28 17:16:29 CEST 
Debian has issued an advisory on August 27:
https://www.debian.org/security/2021/dsa-4964

Mageia 8 is also affected.
David Walser 2021-08-28 17:16:40 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-08-29 21:07:46 CEST 
Although this SRPM has no registered maintainer, Olav has been the principle committer for ages, so assigning this update to you.

Assignee: bugsquad => olav

Comment 2 David Walser 2021-08-30 16:34:03 CEST 
Ubuntu has issued an advisory for this today (August 30):
https://ubuntu.com/security/notices/USN-5055-1

Status comment: (none) => Patch available from Debian and Ubuntu

Comment 3 David Walser 2021-09-03 19:37:30 CEST 
Fedora has issued an advisory for this on September 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BHNVKGOZ7O6L44VYMLWYH5RN63ALIRV2/
Jani Välimaa 2021-10-10 15:00:17 CEST

CC: (none) => jani.valimaa
Status comment: Patch available from Debian and Ubuntu => Fixed upstream in 0.3.14

Comment 4 Jani Välimaa 2021-10-10 15:01:11 CEST 
Fixed in cauldron with grilo-0.3.14-1.mga9.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 5 Jani Välimaa 2021-10-10 15:20:28 CEST 
Pushed grilo-0.3.14-1.mga8 to core/updates.

SRPMS:
grilo-0.3.14-1.mga8

RPMS:
grilo-0.3.14-1.mga8
lib(64)grilo0.3_0-0.3.14-1.mga8
lib(64)grlnet0.3_0-0.3.14-1.mga8
lib(64)grlpls0.3_0-0.3.14-1.mga8
lib(64)grilo-gir0.3-0.3.14-1.mga8
lib(64)grilo-devel-0.3.14-1.mga8

Assignee: olav => qa-bugs

Comment 6 Jani Välimaa 2021-10-10 15:27:11 CEST 
Upstream bug report:
https://gitlab.gnome.org/GNOME/grilo/-/issues/146
David Walser 2021-10-10 17:59:18 CEST

Status comment: Fixed upstream in 0.3.14 => (none)

Comment 7 Herman Viaene 2021-10-12 15:46:05 CEST 
MGA8-64 Plasma on Lenovo B50
No isntallation issues.
No previous updates , so experimenting with the commands.
$ grilo-test-ui-0.3 

(grilo-test-ui-0.3:14628): Gtk-WARNING **: 15:33:10.081: Theme parsing error: gtk.css:2:33: Failed to import: Fout bij het openen van bestand /home/tester8/.config/gtk-3.0/window_decorations.css: Bestand of map bestaat niet

(firefox:14670): Gtk-WARNING **: 15:33:45.116: Theme parsing error: gtk.css:2:33: Failed to import: Fout bij het openen van bestand /home/tester8/.config/gtk-3.0/window_decorations.css: Bestand of map bestaat niet

(grilo-test-ui-0.3:14628): GLib-GObject-WARNING **: 15:33:54.376: invalid cast from 'GdkX11Window' to 'GtkWindow'

(grilo-test-ui-0.3:14628): Gtk-CRITICAL **: 15:33:54.376: gtk_message_dialog_new: assertion 'parent == NULL || GTK_IS_WINDOW (parent)' failed

(grilo-test-ui-0.3:14628): Gtk-CRITICAL **: 15:33:54.376: gtk_dialog_run: assertion 'GTK_IS_DIALOG (dialog)' failed

(totem:14796): Gtk-WARNING **: 15:35:11.810: Theme parsing error: gtk.css:2:33: Failed to import: Fout bij het openen van bestand /home/tester8/.config/gtk-3.0/window_decorations.css: Bestand of map bestaat niet

(totem:14796): Grilo-WARNING **: 15:35:12.385: [registry] ../src/grl-registry.c:1523: Plugin 'grl-local-metadata' not available

(totem:14796): Totem-WARNING **: 15:35:12.385: Failed to load grl-local-metadata plugin: Plug-in ‘grl-local-metadata’ niet beschikbaar

** (99-totem-pl-parser-videosite-quvi:14810): CRITICAL **: 15:35:12.725: [_chk_script_ident] /usr/share/libquvi-scripts/0.9/common/quvi/youtube.lua:109: module 'socket.url' not found:
        no field package.preload['socket.url']
        no file '/usr/share/lua/5.3/socket/url.lua'
        no file '/usr/share/lua/5.3/socket/url/init.lua'
        no file '/usr/lib/lua/5.3/socket/url.lua'
        no file '/usr/lib/lua/5.3/socket/url/init.lua'
        no file '/usr/lib64/lua/5.3/socket/url.lua'
        no file '/usr/lib64/lua/5.3/socket/url/init.lua'
        no file './socket/url.lua'
        no file './socket/url/init.lua'
        no file '/usr/share/libquvi-scripts/0.9/common/socket/url.lua'
        no file '/usr/lib/lua/5.3/socket/url.so'
        no file '/usr/lib/lua/5.3/loadall.so'
        no file '/usr/lib64/lua/5.3/socket/url.so'
        no file '/usr/lib64/lua/5.3/loadall.so'
        no file './socket/url.so'
        no file '/usr/lib/lua/5.3/socket.so'
        no file '/usr/lib/lua/5.3/loadall.so'
        no file '/usr/lib64/lua/5.3/socket.so'
        no file '/usr/lib64/lua/5.3/loadall.so'
        no file './socket.so'

(totem:14796): Totem-WARNING **: 15:35:14.588: Could not query file attribute: HTTP-fout: Method Not Allowed

(totem:14796): Grilo-CRITICAL **: 15:35:33.314: grl_log_valist: assertion 'domain' failed
But inspite of all this, a windows opens that first asks authorization to access my Flickr account, which I don't have,Continuing anyway displays a whole list of media I could access, I picked out RAI-TV and in the section science I could open and plaay a video on astronomy. Nice.

$ grl-inspect-0.3 
grl-bookmarks:  grl-bookmarks
grl-chromaprint:  grl-chromaprint
grl-filesystem:  grl-filesystem
grl-gravatar:  grl-gravatar
grl-jamendo:  grl-jamendo
grl-lua-factory:  grl-appletrailers-lua  grl-euronews-lua  grl-guardianvideos-lua  grl-itunes-podcast  grl-musicbrainz-coverart  grl-radiofrance-lua  grl-steam-store  grl-thegamesdb  grl-video-title-parsing
grl-magnatune:  grl-magnatune
grl-metadata-store:  grl-metadata-store
grl-opensubtitles:  grl-opensubtitles
grl-optical-media:  grl-optical-media
grl-podcasts:  grl-podcasts
grl-raitv:  grl-raitv
grl-tracker3:  grl-tracker3-source
At least no eerors

$ grl-launch-0.3 
Gebruik:
  grl-launch-0.3 [OPTIE…] OPERATION PARAMETERS...

        browse <source>|<media container>
        may_resolve <key> <source>|<media container> [<source>]
        query <expression> <source>
        resolve <source>|<media> [<source>]
        search <term> <source>
        monitor <source>
        test_media_from_uri <uri> [<source>]
        media_from_uri <uri> <source>

Hulpopties:
  -h, --help                                Deze hulptekst tonen
  --help-all                                Alle hulpteksten tonen
  --help-grl                                Grilo-opties tonen

Programmaopties:
  -C, --config                              Configuration file to send to sources
  -c, --count                               Number of elements to return
  -d, --delay                               Wait some seconds before performing the operation (default 1 second)
  -f, --flags=full|fast_only|idle_relay     List of comma-separated flags to use
  -F, --full                                Full serialize
  -k, --keys                                List of comma-separated keys to retrieve
  -S, --serialize                           Serialize
  -s, --skip                                Number of elements to skip
  -T, --titles                              Print column titles
  -V, --version                             Print version
Looks like the CLI interface of the program.
In the end, the command labeled "test" seems to be the main GUI interface to the program.
But looks good

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2021-10-13 04:08:48 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-13 20:46:46 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-10-13 21:41:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0472.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED