Bug 33044

Summary: gstreamer1.0-plugins-{base,good,bad,ugly} new security issues CVE-2024-0444
Product: Mageia Reporter: Giuseppe Ghibò <ghibomgx>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, ghibomgx, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK, MGA9-32-OK
Source RPM: CVE: CVE-2024-0444
Status comment:
Attachments: files list fore core/release
files list tainted/release

Description Giuseppe Ghibò 2024-04-01 22:36:16 CEST 
On the gstreamer security page there is here:

https://gstreamer.freedesktop.org/security/sa-2024-0001.html

a report that for gstreamer < 1.22.9 (mga9 has actually gstreamer 1.22.8) are affected by a security problem [Security Advisory 2024-0001 (ZDI-CAN-22873) (CVE-2024-0444)] in the AV1 codec.
Comment 1 Giuseppe Ghibò 2024-04-01 22:37:57 CEST 
I updated the packages to gstreamer-1.22.11 in mga9's updates_testing. Packages are:

        gstreamer1.0
        gstreamer1.0-devtools
        gstreamer1.0-editing-services
        gstreamer1.0-libav
        gstreamer1.0-moodbar
        gstreamer1.0-omx
        gstreamer1.0-plugins-bad
        gstreamer1.0-plugins-base
        gstreamer1.0-plugins-good
        gstreamer1.0-plugins-ugly
        gstreamer1.0-python
        gstreamer1.0-rtsp-server
        gstreamer1.0-vaapi

files list will follow.
Comment 2 Lewis Smith 2024-04-02 20:58:50 CEST 
Assigning to you as you are already doing it!
And thank you for your prompt action.

Assignee: bugsquad => ghibomgx

Comment 3 Giuseppe Ghibò 2024-04-03 13:52:52 CEST 
Created attachment 14490 [details]
files list fore core/release
Comment 4 Giuseppe Ghibò 2024-04-03 13:53:42 CEST 
Created attachment 14491 [details]
files list tainted/release

files list for tainted/release added.
katnatek 2024-04-03 20:23:06 CEST

Component: RPM Packages => Security
QA Contact: (none) => security
CVE: (none) => CVE-2024-0444

Comment 5 katnatek 2024-04-03 20:36:13 CEST 
Giussepe can you confirm the list of src.rpms

src:
  9:
    core:
    - gstreamer1.0-1.22.11-1.mga9
    - gstreamer1.0-devtools-1.22.11-1.mga9
    - gstreamer1.0-editing-services-1.22.11-1.mga9
    - gstreamer1.0-libav-1.22.11-1.mga9
    - gstreamer1.0-moodbar-1.3.0-1.mga9
    - gstreamer1.0-omx-1.22.11-1.mga9
    - gstreamer1.0-plugins-bad-1.22.11-1.mga9
    - gstreamer1.0-plugins-base-1.22.11-1.mga9
    - gstreamer1.0-plugins-good-1.22.11-1.mga9
    - gstreamer1.0-plugins-ugly-1.22.11-1.mga9
    - gstreamer1.0-python-1.22.11-1.mga9
    - gstreamer1.0-rtsp-server-1.22.11-1.mga9
    - gstreamer1.0-vaapi-1.22.11-1.mga9
    tainted:
    - gstreamer1.0-plugins-bad-1.22.11-1.mga9
    - gstreamer1.0-plugins-ugly-1.22.11-1.mga9

Keywords: (none) => advisory

katnatek 2024-04-03 20:38:03 CEST

CC: (none) => ghibomgx
Assignee: ghibomgx => qa-bugs

Comment 6 Giuseppe Ghibò 2024-04-04 11:01:32 CEST 
(In reply to katnatek from comment #5)

> Giussepe can you confirm the list of src.rpms
> 
> src:
>   9:
>     core:
>     - gstreamer1.0-1.22.11-1.mga9
>     - gstreamer1.0-devtools-1.22.11-1.mga9
>     - gstreamer1.0-editing-services-1.22.11-1.mga9
>     - gstreamer1.0-libav-1.22.11-1.mga9
>     - gstreamer1.0-moodbar-1.3.0-1.mga9
>     - gstreamer1.0-omx-1.22.11-1.mga9
>     - gstreamer1.0-plugins-bad-1.22.11-1.mga9
>     - gstreamer1.0-plugins-base-1.22.11-1.mga9
>     - gstreamer1.0-plugins-good-1.22.11-1.mga9
>     - gstreamer1.0-plugins-ugly-1.22.11-1.mga9
>     - gstreamer1.0-python-1.22.11-1.mga9
>     - gstreamer1.0-rtsp-server-1.22.11-1.mga9
>     - gstreamer1.0-vaapi-1.22.11-1.mga9
>     tainted:
>     - gstreamer1.0-plugins-bad-1.22.11-1.mga9
>     - gstreamer1.0-plugins-ugly-1.22.11-1.mga9

yes.
Comment 7 katnatek 2024-04-04 22:11:53 CEST 
RH mageia 9 x86_64

Update first to core version
Play a free format file with gst-play-1.0

Update to tainted version

Play a free format file with gst-play-1.0
Play a nonfree format with gst-play-1.0

OK for me
Comment 8 Thomas Andrews 2024-04-05 01:18:26 CEST 
MGA9-64 Plasma in VirtualBox. This particular guest is "untainted," meaning that the tainted repos were never activated. 

The following 42 packages are going to be installed:

- gstreamer1.0-a52dec-1.22.11-1.mga9.x86_64
- gstreamer1.0-cdio-1.22.11-1.mga9.x86_64
- gstreamer1.0-cdparanoia-1.22.11-1.mga9.x86_64
- gstreamer1.0-dv-1.22.11-1.mga9.x86_64
- gstreamer1.0-flac-1.22.11-1.mga9.x86_64
- gstreamer1.0-fluidsynth-1.22.11-1.mga9.x86_64
- gstreamer1.0-gme-1.22.11-1.mga9.x86_64
- gstreamer1.0-gsm-1.22.11-1.mga9.x86_64
- gstreamer1.0-libav-1.22.11-1.mga9.x86_64
- gstreamer1.0-moodbar-1.3.0-1.mga9.x86_64
- gstreamer1.0-mpeg-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-bad-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-base-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-good-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-ugly-1.22.11-1.mga9.x86_64
- gstreamer1.0-pulse-1.22.11-1.mga9.x86_64
- gstreamer1.0-rtmp-1.22.11-1.mga9.x86_64
- gstreamer1.0-soup-1.22.11-1.mga9.x86_64
- gstreamer1.0-speex-1.22.11-1.mga9.x86_64
- gstreamer1.0-tools-1.22.11-1.mga9.x86_64
- gstreamer1.0-twolame-1.22.11-1.mga9.x86_64
- gstreamer1.0-vaapi-1.22.11-1.mga9.x86_64
- gstreamer1.0-wavpack-1.22.11-1.mga9.x86_64
- lib64gstbadaudio1.0_0-1.22.11-1.mga9.x86_64
- lib64gstbasecamerabinsrc1.0_0-1.22.11-1.mga9.x86_64
- lib64gstcodecparsers1.0_0-1.22.11-1.mga9.x86_64
- lib64gstcodecs1.0_0-1.22.11-1.mga9.x86_64
- lib64gstcuda1.0_0-1.22.11-1.mga9.x86_64
- lib64gstgl1.0_0-1.22.11-1.mga9.x86_64
- lib64gstmpegts1.0_0-1.22.11-1.mga9.x86_64
- lib64gstphotography1.0_0-1.22.11-1.mga9.x86_64
- lib64gstplay1.0_0-1.22.11-1.mga9.x86_64
- lib64gstplayer1.0_0-1.22.11-1.mga9.x86_64
- lib64gstreamer-plugins-base1.0_0-1.22.11-1.mga9.x86_64
- lib64gstreamer1.0_0-1.22.11-1.mga9.x86_64
- lib64gstsctp1.0_0-1.22.11-1.mga9.x86_64
- lib64gsttranscoder1.0_0-1.22.11-1.mga9.x86_64
- lib64gsturidownloader1.0_0-1.22.11-1.mga9.x86_64
- lib64gstva1.0_0-1.22.11-1.mga9.x86_64
- lib64gstwayland1.0_0-1.22.11-1.mga9.x86_64
- lib64gstwebrtc1.0_0-1.22.11-1.mga9.x86_64
- lib64gstwebrtcnice1.0_0-1.22.11-1.mga9.x86_64

No installation issues. Using Parole, which is based on gstreamer, for testing. 

Comment 0 says the update concerns the AV1 (NOT AVI) codec, so I used Handbrake on the host system to transcode two videos into that codec. Both played normally in Parole, so the core packages appear to be OK.

CC: (none) => andrewsfarm

Comment 9 katnatek 2024-04-06 00:39:10 CEST 
RH mageia 9 i586

Update to core packages without issues
Update to tainted packages without issues

Use the video in https://bugs.mageia.org/show_bug.cgi?id=33014#c10

gst-play-1.0 spbtv_sample_bipbop_av1_960x540_25fps.mp4 

Reproduce the video without issues
Comment 10 Herman Viaene 2024-04-08 17:42:08 CEST 
gstreamer1.0-1.22.11-1.mga9 not found in the remote repository
gstreamer1.0-rtsp-server-1.22.11-1.mga9 not found in the remote repository
Stil aftereffect from downperiod???

CC: (none) => herman.viaene

Comment 11 katnatek 2024-04-08 18:59:53 CEST 
(In reply to Herman Viaene from comment #10)
> gstreamer1.0-1.22.11-1.mga9 not found in the remote repository
> gstreamer1.0-rtsp-server-1.22.11-1.mga9 not found in the remote repository
> Stil aftereffect from downperiod???

lib64gstrtspserver1.0_0-1.22.11-1.mga9
lib64gstrtspserver-gir1.0-1.22.11-1.mga9
gstreamer1.0-rtspclientsink-1.22.11-1.mga9

gstreamer1.0-1.22.11-1.mga9 not exist in the list of packages
Comment 12 Thomas Andrews 2024-04-08 19:51:24 CEST 
gstreamer1.0-1.22.11-1 is a source rpm. 

Herman, use one of the lists from the attachments for your tests.
Comment 13 katnatek 2024-04-09 23:44:09 CEST 
As I test other gstreamer dependent application https://bugs.mageia.org/show_bug.cgi?id=33077#c3 , I not see why hold this update

Whiteboard: (none) => MGA9-64-OK, MGA9-32-OK

Comment 14 Thomas Andrews 2024-04-10 00:11:43 CEST 
I was just thinking the same. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2024-04-10 06:04:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0119.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED