Bug 32071

Summary:	gstreamer1.0-plugins-{base,good,bad,ugly} new security issues CVE-2022-192[0,2-5], CVE-2022-2122, CVE-2023-3732[7-9], ZDI-CAN-2144[34]
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, ghibomgx, j.alberto.vc, jani.valimaa, marja11, sysadmin-bugs, xerxes2
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	gstreamer1.0-plugins-base-1.22.3-1.mga9.src.rpm, gstreamer1.0-plugins-bad-1.22.3-2.mga9.src.rpm, gstreamer1.0-plugins-good-1.22.3-1.mga9.src.rpm, gstreamer1.0-plugins-ugly-1.22.3-1.mga9.src.rpm	CVE:	CVE-2022-1920, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, CVE-2023-37327, CVE-2023-37328, CVE-2023-37329, CVE-2023-38103, CVE-2023-38104, CVE-2023-40474, CVE-2023-40475, CVE-2023-40476, CVE-2023-44429, CVE-2023-44446
Status comment:	Fixed upstream in 1.22.5, package to test in comment#14
Attachments:	List of packages to test List of gstreamer-1.22.8 packages

Description David Walser 2023-07-05 22:38:02 CEST

Debian has issued advisories on July 2:
https://www.debian.org/security/2023/dsa-5443
https://www.debian.org/security/2023/dsa-5444
https://www.debian.org/security/2023/dsa-5445

We had talked about updating the Gstreamer stuff in recent months but never actually did it, so we are likely missing some security fixes.  Unfortunately they're not detailed in the advisories, so we'll have to look at the patches.

Mageia 8 is also likely affected.

David Walser 2023-07-05 22:38:10 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-07 20:36:10 CEST

Several packagers have dealt with the SRPMs in question, so assigning this globally; but CC'ing those packagers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, ghibomgx, jani.valimaa

Comment 2 Giuseppe Ghibò 2023-07-07 20:48:11 CEST

gstreamer was updated in late may to 1.22.3.

There is a newer 1.22.4 nowadays, see changelog

https://gstreamer.freedesktop.org/releases/1.22/#1.22.4
https://gstreamer.freedesktop.org/security/

which address also several security bugs. IMHO we can prepare the gstreamer 1.22.4 triplets (good,bad,ugly) and then submit after the final mga9 release as update.

Comment 3 Giuseppe Ghibò 2023-07-08 18:33:50 CEST

Ok, I've gstreamer 1.22.4 ready (tested in COPR). I'll submit to {core,tainted}/updates_testing, so it's ready for post-release.

Comment 4 Giuseppe Ghibò 2023-08-04 08:34:52 CEST

The gstreamer suite and their deps aligned to 1.22.4 fixing this is in {core,tainted}/updates_testing since a month. Using locally I've not had any problems since then. If I understand correctly we'll decided delay to delay this submit post final-release. Maybe this should be reconsidered and release before? However in the meanwhile there were two new other advisor:

https://gstreamer.freedesktop.org/security/sa-2023-0005.html
https://gstreamer.freedesktop.org/security/sa-2023-0005.html

which however requires 1.22.5 which we don't have anyway in updates_testing.

Comment 5 David Walser 2023-08-04 16:43:13 CEST

It's quite a bit more than that.  We have all of these to deal with:
https://gstreamer.freedesktop.org/security/sa-2022-0002.html
https://gstreamer.freedesktop.org/security/sa-2022-0003.html
https://gstreamer.freedesktop.org/security/sa-2022-0004.html
https://gstreamer.freedesktop.org/security/sa-2023-0001.html
https://gstreamer.freedesktop.org/security/sa-2023-0002.html
https://gstreamer.freedesktop.org/security/sa-2023-0003.html
https://gstreamer.freedesktop.org/security/sa-2023-0004.html
https://gstreamer.freedesktop.org/security/sa-2023-0005.html

The 2022 just for Mageia 8 and the 2023 ones for both.

I'm not sure what Debian fixed in plugins-bad, but the above advisories cover base, good, and ugly.
CVE-2022-192[0,2-5], CVE-2022-2122 good
CVE-2023-3732[79] good
CVE-2023-37328 base
ZDI-CAN-2144[34] ugly

Summary: gstreamer1.0-plugins-{base,good,bad} possible new security issues => gstreamer1.0-plugins-{base,good,bad,ugly} new security issues CVE-2022-192[0,2-5], CVE-2022-2122, CVE-2023-3732[7-9], ZDI-CAN-2144[34]
Source RPM: gstreamer1.0-plugins-base-1.22.3-1.mga9.src.rpm, gstreamer1.0-plugins-bad-1.22.3-2.mga9.src.rpm, gstreamer1.0-plugins-good-1.22.3-1.mga9.src.rpm => gstreamer1.0-plugins-base-1.22.3-1.mga9.src.rpm, gstreamer1.0-plugins-bad-1.22.3-2.mga9.src.rpm, gstreamer1.0-plugins-good-1.22.3-1.mga9.src.rpm, gstreamer1.0-plugins-ugly-1.22.3-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.22.5

Comment 6 Giuseppe Ghibò 2023-08-04 17:10:29 CEST

According to that list, up to https://gstreamer.freedesktop.org/security/sa-2023-0003.html, the fixes are covered in gstreamer 1.22.4 (which we have in updates_testing). The remaining sa-2023-0004.html and sa-2023-0005.html (I pasted twice the sa-2023-0005.html in my previous comment), which should refer to ZDI-CAN-2144[34], should be covered in gstreamer-1.22.5 (which we don't have [yet] in any repo).

Comment 7 Giuseppe Ghibò 2023-09-02 10:23:00 CEST

All the gstreamer 1.22.5 packages fixing the known advisors are uploaded in mga9:core/updates_testing and mga9:tainted/updates_testing

Here is the list of packages for core/updates_testing:

gstreamer1.0-1.22.5-1.mga9.src.rpm
gstreamer1.0-devtools-1.22.5-1.mga9.src.rpm
gstreamer1.0-editing-services-1.22.5-1.mga9.src.rpm
gstreamer1.0-libav-1.22.5-1.mga9.src.rpm
gstreamer1.0-moodbar-1.2.1-4.mga9.src.rpm
gstreamer1.0-omx-1.22.5-1.mga9.src.rpm
gstreamer1.0-plugins-bad-1.22.5-1.mga9.src.rpm
gstreamer1.0-plugins-base-1.22.5-1.mga9.src.rpm
gstreamer1.0-plugins-good-1.22.5-1.mga9.src.rpm
gstreamer1.0-plugins-ugly-1.22.5-1.mga9.src.rpm
gstreamer1.0-python-1.22.5-1.mga9.src.rpm
gstreamer1.0-rtsp-server-1.22.5-1.mga9.src.rpm
gstreamer1.0-vaapi-1.22.5-1.mga9.src.rpm

and for tainted/updates_testing:

gstreamer1.0-plugins-bad-1.22.5-1.mga9.tainted.src.rpm
gstreamer1.0-plugins-ugly-1.22.5-1.mga9.tainted.src.rpm

Comment 8 Giuseppe Ghibò 2023-09-26 10:22:10 CEST

The packages are waiting in queue, is there still missed something to push in updates?

BTW, in the meanwhile there is out 1.22.6.

Comment 9 Giuseppe Ghibò 2023-11-03 14:39:51 CET

Can we validate this bug and push gstreamer*1.22.5*? So that we can go to the next 1.22.6 that fixes further security bugs.

Comment 10 Thomas Andrews 2023-11-03 15:41:00 CET

This was never assigned to QA, so it hasn't been tested and we can't validate yet. 

It's filed against Cauldron, should that be changed to Mageia 9?

CC: (none) => andrewsfarm

Comment 11 Giuseppe Ghibò 2023-11-03 16:02:16 CET

tYep, it was build when cauldron was still mga9, and the fixes postponed after final release, so to avoid further re-testing/slowdowns.

Comment 12 Thomas Andrews 2023-11-03 17:56:43 CET

OK then, changing to 9. But, since MGA9 has been released, all updates must now go through QA. 

It says MGA8 is also affected, so we will need packages for that release, too. Once it's ready, assign it to QA and we'll get on it.

Version: Cauldron => 9

Comment 13 Giuseppe Ghibò 2023-11-03 18:09:25 CET

I don't know about mga8, probably too complex to backport every single patch to 1.18.5 which is the gstreamer release of mga8.

For mga9, alternatively we can ignore the package group of release 1.22.5 already made for mga9 that are in updates_testing, open a new specific bug for mga9, and go straight to release 1.22.6, which is the current one (that add a few security fixes not included in 1.22.5). But it will take some time.

Comment 14 katnatek 2023-11-04 03:15:51 CET

Created attachment 14129 [details]
List of packages to test

The list is a few long testing put the list in attachment, I use the brain instead brute force to get the list but maybe miss something

katnatek 2023-11-04 03:16:44 CET

Status comment: Fixed upstream in 1.22.5 => Fixed upstream in 1.22.5, package to test in comment#14

Comment 15 katnatek 2023-11-04 17:37:09 CET

(In reply to Giuseppe Ghibò from comment #13)
> I don't know about mga8, probably too complex to backport every single patch
> to 1.18.5 which is the gstreamer release of mga8.
> 
> For mga9, alternatively we can ignore the package group of release 1.22.5
> already made for mga9 that are in updates_testing, open a new specific bug
> for mga9, and go straight to release 1.22.6, which is the current one (that
> add a few security fixes not included in 1.22.5). But it will take some time.

Then we need to remove MGA8TOO and wait to new set of packages, I'll update the list when the packages are ready

CC: (none) => j.alberto.vc
Whiteboard: MGA8TOO => (none)

Comment 16 Giuseppe Ghibò 2023-12-20 19:24:59 CET

Created attachment 14228 [details]
List of gstreamer-1.22.8 packages

Here is an updated list of files for gstreamer-1.22.8 that supersedes for 1.22.5.

Attachment 14129 is obsolete: 0 => 1

Comment 17 katnatek 2023-12-20 22:10:32 CET

Tested in Real Hardware Mageia 9 x86_64 Lxqt

Download all the rpms with qarepo
run in console as root urpmi --auto --auto-update

urpmi update the gstreamer packages I have in my system along other updates

 1/46: gstreamer1.0-tools    ###################################################################################
     2/46: lib64gstreamer1.0_0   ###################################################################################
     3/46: lib64gstreamer-plugins-base1.0_0
                                 ###################################################################################
     4/46: lib64gstgl1.0_0       ###################################################################################
     5/46: gstreamer1.0-plugins-base
                                 ###################################################################################
     6/46: lib64gstcodecparsers1.0_0
                                 ###################################################################################
     7/46: lib64gstwebrtc1.0_0   ###################################################################################
     8/46: lib64gstwebrtcnice1.0_0
                                 ###################################################################################
     9/46: lib64gstcodecs1.0_0   ###################################################################################
    10/46: gstreamer1.0-soup     ###################################################################################
    11/46: lib64gstcuda1.0_0     ###################################################################################
    12/46: lib64gstwayland1.0_0  ###################################################################################
    13/46: lib64gstplay1.0_0     ###################################################################################
    14/46: lib64gstbadaudio1.0_0 ###################################################################################
    15/46: lib64gstva1.0_0       ###################################################################################
    16/46: lib64gstbasecamerabinsrc1.0_0                              ###################################################################################
    17/46: lib64gstsctp1.0_0     ###################################################################################
    18/46: lib64gstmpegts1.0_0   ###################################################################################
    19/46: lib64gstphotography1.0_0
                                 ###################################################################################
    20/46: lib64gsturidownloader1.0_0
                                 ###################################################################################
    21/46: gstreamer1.0-plugins-bad
                                 ###################################################################################
    22/46: lib64gstplayer1.0_0   ###################################################################################
    23/46: gstreamer1.0-plugins-good
                                 ###################################################################################
    24/46: gstreamer1.0-vaapi    ###################################################################################
    25/46: gstreamer1.0-wavpack  ###################################################################################
    26/46: gstreamer1.0-faad     ###################################################################################
    27/46: gstreamer1.0-flac     ###################################################################################
    28/46: gstreamer1.0-twolame  ###################################################################################
    29/46: gstreamer1.0-x265     ###################################################################################
    30/46: gstreamer1.0-mpeg     ###################################################################################
    31/46: gstreamer1.0-cdio     ###################################################################################
    32/46: gstreamer1.0-speex    ###################################################################################
    33/46: gstreamer1.0-dv       ###################################################################################
    34/46: gstreamer1.0-gsm      ###################################################################################
    35/46: gstreamer1.0-rtmp     ###################################################################################
    36/46: gstreamer1.0-a52dec   ###################################################################################
    37/46: gstreamer1.0-cdparanoia
                                 ###################################################################################
    38/46: gstreamer1.0-pulse    ###################################################################################
    39/46: gstreamer1.0-lame     ###################################################################################
    40/46: gstreamer1.0-plugins-ugly
                                 ###################################################################################
    41/46: gstreamer1.0-libav    ###################################################################################
    42/46: lib64gsttranscoder1.0_0
                                 ###################################################################################
    43/46: gstreamer1.0-gme      ###################################################################################
    44/46: lib64bluez3           ###################################################################################
    45/46: qemu-user-binfmt      ###################################################################################
    46/46: bluez                 ###################################################################################

Comment 18 Thomas Andrews 2023-12-20 23:25:01 CET

Assigning this to QA. Giuseppe, if this isn't ready yet, please change it back.

Testers, be aware that there are tainted and non-tainted versions of several of these packages. Both need to be tested.

Assignee: pkg-bugs => qa-bugs

Comment 19 Jens Persson 2023-12-21 07:30:30 CET

Merry thanks for the update, works great in Cauldron.

CC: (none) => xerxes2

Marja Van Waes 2023-12-21 18:40:37 CET

CVE: (none) => CVE-2022-1920, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, CVE-2023-37327, CVE-2023-37328, CVE-2023-37329
CC: (none) => marja11

Comment 20 Marja Van Waes 2023-12-21 19:09:16 CET

Here 
https://www.zerodayinitiative.com/advisories/ZDI-23-1007/ 
and here
https://www.zerodayinitiative.com/advisories/ZDI-23-1008/

I see that ZDI-CAN-21443 = CVE-2023-38103
and ZDI-CAN-21444 =  CVE-2023-38104

I'll add those CVEs to the advisory instead of the ZDI-CAN numbers, but I can change that if that's wrong ;-)

Comment 21 Marja Van Waes 2023-12-21 19:17:32 CET

(In reply to Giuseppe Ghibò from comment #16)
> Created attachment 14228 [details]
> List of gstreamer-1.22.8 packages
> 
> Here is an updated list of files for gstreamer-1.22.8 that supersedes for
> 1.22.5.

Used that list to create an advisory, it can be seen here:
https://svnweb.mageia.org/advisories/32071.adv?view=markup&pathrev=15438

I really hope I didn't miss a SRPM, feel free to check and remove the advisory keyword when something is wrong.

Keywords: (none) => advisory

Comment 22 Giuseppe Ghibò 2023-12-21 19:19:05 CET

(In reply to Marja Van Waes from comment #20)
> Here 
> https://www.zerodayinitiative.com/advisories/ZDI-23-1007/ 
> and here
> https://www.zerodayinitiative.com/advisories/ZDI-23-1008/
> 
> I see that ZDI-CAN-21443 = CVE-2023-38103
> and ZDI-CAN-21444 =  CVE-2023-38104
> 
> I'll add those CVEs to the advisory instead of the ZDI-CAN numbers, but I
> can change that if that's wrong ;-)

Ok.

There are also more beside the initial CVEs, see:

https://gstreamer.freedesktop.org/security/

it should be fixed up to the AV1 (gstreamer security advisory 2023-0011).

Marja Van Waes 2023-12-21 19:29:59 CET

CVE: CVE-2022-1920, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, CVE-2023-37327, CVE-2023-37328, CVE-2023-37329 => CVE-2022-1920, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, CVE-2023-37327, CVE-2023-37328, CVE-2023-37329, CVE-2023-38103, CVE-2023-38104

Comment 23 Marja Van Waes 2023-12-21 19:30:34 CET

(In reply to Giuseppe Ghibò from comment #22)

> 
> There are also more beside the initial CVEs, see:
> 
> https://gstreamer.freedesktop.org/security/
> 
> it should be fixed up to the AV1 (gstreamer security advisory 2023-0011).

I'll have a look

Comment 24 Marja Van Waes 2023-12-21 19:32:11 CET

(In reply to Marja Van Waes from comment #23)
> (In reply to Giuseppe Ghibò from comment #22)
> 
> > 
> > There are also more beside the initial CVEs, see:
> > 
> > https://gstreamer.freedesktop.org/security/
> > 
> > it should be fixed up to the AV1 (gstreamer security advisory 2023-0011).
> 
Up to, but not including? Or up to and including?

Marja Van Waes 2023-12-21 19:36:19 CET

CVE: CVE-2022-1920, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, CVE-2023-37327, CVE-2023-37328, CVE-2023-37329, CVE-2023-38103, CVE-2023-38104 => CVE-2022-1920, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122, CVE-2023-37327, CVE-2023-37328, CVE-2023-37329, CVE-2023-38103, CVE-2023-38104, CVE-2023-40474, CVE-2023-40475, CVE-2023-40476, CVE-2023-44429, CVE-2023-44446

Comment 25 Giuseppe Ghibò 2023-12-21 19:37:40 CET

(In reply to Marja Van Waes from comment #24)
> (In reply to Marja Van Waes from comment #23)
> > (In reply to Giuseppe Ghibò from comment #22)
> > 
> > > 
> > > There are also more beside the initial CVEs, see:
> > > 
> > > https://gstreamer.freedesktop.org/security/
> > > 
> > > it should be fixed up to the AV1 (gstreamer security advisory 2023-0011).
> > 
> Up to, but not including? Or up to and including?

Up and including. Latest fix included in 1.22.8 is this:

https://gstreamer.freedesktop.org/security/sa-2023-0011.html

Comment 26 Marja Van Waes 2023-12-21 19:53:22 CET

(In reply to Giuseppe Ghibò from comment #25)

> 
> Up and including. Latest fix included in 1.22.8 is this:
> 
> https://gstreamer.freedesktop.org/security/sa-2023-0011.html

Thanks :-)
Added, the current advisory can be seen here:
https://svnweb.mageia.org/advisories/32071.adv?view=markup&pathrev=15443

(For those who don't know: the links to the CVEs will be automatically added to the references by the scripts that our sysadmins use when pushing a package to updates)

Comment 27 Thomas Andrews 2023-12-22 04:23:35 CET

I think I got all the rpms into qarepo - with the attached list formatted as it is, a simple copy-and-paste operation isn't easy, and it would be easy to miss one or two of them. Moving on...

I discovered that contrary to my former belief, updating to just the non-tainted packages does not remove the old tainted packages, at least with gstreamer. This means that in order to make a proper test of a non-tainted gstreamer, one needs a fully non-tainted MGA9 install. I have a VirtualBox guest I created for just this sort of situation, so...

MGA9-64 Plasma, in VirtualBox. The tainted repos have never been activated in this guest. Testing with Parole, by playing videos that use the Xvid, x.264, and x.265 codecs. All three videos played without errors. 

On real hardware, MGA9-64 Plasma on an i5-2500, integrated Intel graphics(i915 driver). Gathered what I hope is all the rpms into qarepo, and updated. Played the same three videos with Parole, again with no errors.

It appears to be OK, but just to be sure I will try it with some AMD hardware in the morning.

Comment 28 Thomas Andrews 2023-12-22 04:54:59 CET

With all these CVEs I decided to keep going tonight, and tested the ainted version with my HP Pavilion 15, A8-4555 APU, with HD 7600G graphics, MGA9-64 Plasma system.

No installation issues. I played some x264 and x265 videos in Parole, all played without issues.

This has been sitting here too long now. These security holes need to be plugged. Giving it an OK, and validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 29 Mageia Robot 2023-12-22 13:06:23 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0354.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED