Debian has issued an advisory on April 15: https://www.debian.org/security/2015/dsa-3225 Mageia 4 and Mageia 5 are affected. Patch checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4 and Cauldron. Note that there are both tainted and core builds for this package. Advisory: ======================== Updated gstreamer0.10-plugins-bad packages fix security vulnerability: Aki Helin discovered a buffer overflow in the GStreamer plugin for MP4 playback, which could lead in the execution of arbitrary code (CVE-2015-0797). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0797 https://www.debian.org/security/2015/dsa-3225 ======================== Updated packages in core/updates_testing: ======================== gstreamer0.10-plugins-bad-0.10.23-14.1.mga4 libgstphotography0.10_0-0.10.23-14.1.mga4 libgstvdp0.10_0-0.10.23-14.1.mga4 libgstphotography-devel-0.10.23-14.1.mga4 libgstbasevideo0.10_0-0.10.23-14.1.mga4 libgstbasevideo-devel-0.10.23-14.1.mga4 gstreamer0.10-curl-0.10.23-14.1.mga4 gstreamer0.10-dc1394-0.10.23-14.1.mga4 gstreamer0.10-ofa-0.10.23-14.1.mga4 gstreamer0.10-wildmidi-0.10.23-14.1.mga4 gstreamer0.10-mpeg2enc-0.10.23-14.1.mga4 gstreamer0.10-gme-0.10.23-14.1.mga4 gstreamer0.10-dirac-0.10.23-14.1.mga4 gstreamer0.10-schroedinger-0.10.23-14.1.mga4 gstreamer0.10-vp8-0.10.23-14.1.mga4 gstreamer0.10-ladspa-0.10.23-14.1.mga4 gstreamer0.10-musepack-0.10.23-14.1.mga4 gstreamer0.10-mms-0.10.23-14.1.mga4 gstreamer0.10-rtmp-0.10.23-14.1.mga4 gstreamer0.10-directfb-0.10.23-14.1.mga4 gstreamer0.10-soundtouch-0.10.23-14.1.mga4 gstreamer0.10-kate-0.10.23-14.1.mga4 gstreamer0.10-libass-0.10.23-14.1.mga4 gstreamer0.10-resindvd-0.10.23-14.1.mga4 gstreamer0.10-voip-0.10.23-14.1.mga4 gstreamer0.10-cog-0.10.23-14.1.mga4 gstreamer0.10-plugins-bad-doc-0.10.23-14.1.mga4 gstreamer0.10-plugins-bad-debuginfo-0.10.23-14.1.mga4 gstreamer0.10-vdpau-0.10.23-14.1.mga4 gstreamer0.10-gsm-0.10.23-14.1.mga4 gstreamer0.10-neon-0.10.23-14.1.mga4 gstreamer0.10-nas-0.10.23-14.1.mga4 gstreamer0.10-jp2k-0.10.23-14.1.mga4 gstreamer0.10-celt-0.10.23-14.1.mga4 gstreamer0.10-rsvg-0.10.23-14.1.mga4 Updated packages in tainted/updates_testing: ======================== gstreamer0.10-plugins-bad-0.10.23-14.1.mga4 libgstphotography0.10_0-0.10.23-14.1.mga4 libgstvdp0.10_0-0.10.23-14.1.mga4 libgstphotography-devel-0.10.23-14.1.mga4 libgstbasevideo0.10_0-0.10.23-14.1.mga4 libgstbasevideo-devel-0.10.23-14.1.mga4 gstreamer0.10-curl-0.10.23-14.1.mga4 gstreamer0.10-dc1394-0.10.23-14.1.mga4 gstreamer0.10-ofa-0.10.23-14.1.mga4 gstreamer0.10-wildmidi-0.10.23-14.1.mga4 gstreamer0.10-mpeg2enc-0.10.23-14.1.mga4 gstreamer0.10-gme-0.10.23-14.1.mga4 gstreamer0.10-dirac-0.10.23-14.1.mga4 gstreamer0.10-schroedinger-0.10.23-14.1.mga4 gstreamer0.10-vp8-0.10.23-14.1.mga4 gstreamer0.10-ladspa-0.10.23-14.1.mga4 gstreamer0.10-dts-0.10.23-14.1.mga4 gstreamer0.10-xvid-0.10.23-14.1.mga4 gstreamer0.10-musepack-0.10.23-14.1.mga4 gstreamer0.10-mms-0.10.23-14.1.mga4 gstreamer0.10-rtmp-0.10.23-14.1.mga4 gstreamer0.10-directfb-0.10.23-14.1.mga4 gstreamer0.10-soundtouch-0.10.23-14.1.mga4 gstreamer0.10-kate-0.10.23-14.1.mga4 gstreamer0.10-libass-0.10.23-14.1.mga4 gstreamer0.10-resindvd-0.10.23-14.1.mga4 gstreamer0.10-voip-0.10.23-14.1.mga4 gstreamer0.10-cog-0.10.23-14.1.mga4 gstreamer0.10-plugins-bad-doc-0.10.23-14.1.mga4 gstreamer0.10-plugins-bad-debuginfo-0.10.23-14.1.mga4 gstreamer0.10-vdpau-0.10.23-14.1.mga4 gstreamer0.10-faad-0.10.23-14.1.mga4 gstreamer0.10-gsm-0.10.23-14.1.mga4 gstreamer0.10-neon-0.10.23-14.1.mga4 gstreamer0.10-nas-0.10.23-14.1.mga4 gstreamer0.10-jp2k-0.10.23-14.1.mga4 gstreamer0.10-celt-0.10.23-14.1.mga4 gstreamer0.10-rsvg-0.10.23-14.1.mga4 from gstreamer0.10-plugins-bad-0.10.23-14.1.mga4.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Version: Cauldron => 4
The actual file affected by this update is: %{_libdir}/gstreamer-%{majorminor}/libgsth264parse.so which is in the gstreamer0.10-plugins-bad RPM itself. Probably the best way to test this is to transcode an H.264 file with arista, such as this one: http://download.openbricks.org/sample/H264/big_buck_bunny_480p_H264_AAC_25fps_1800K_short.MP4
In VirtualBox, M4, KDE, 32-bit Package(s) under test: gstreamer0.10-plugins-bad default install of gstreamer0.10-plugins-bad [root@localhost wilcal]# urpmi gstreamer0.10-plugins-bad Package gstreamer0.10-plugins-bad-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi arista Package arista-0.9.7-9.mga4.noarch is already installed Arista fails to launch: https://bugs.mageia.org/show_bug.cgi?id=15807 Got another David? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
CC: (none) => wilcal.int
Ooh, bummer. Well, I *think* Firefox can play H.264 files itself. I just clicked on my link in Comment 2 and it played the video (no sound, probably need the tainted build for that) and it didn't appear to be using any plugins. I'm not 100% certain it wasn't using gecko-mediaplayer though. Otherwise, a video player that uses gstreamer0.10 to play that file would work...but I'm not sure what one might be.
(In reply to David Walser from comment #2) > The actual file affected by this update is: > %{_libdir}/gstreamer-%{majorminor}/libgsth264parse.so > > which is in the gstreamer0.10-plugins-bad RPM itself. > > Probably the best way to test this is to transcode an H.264 file with > arista, such as this one: > http://download.openbricks.org/sample/H264/ > big_buck_bunny_480p_H264_AAC_25fps_1800K_short.MP4 No as it's broken and dropped and vlc can do same or k9copy or mencoder or ffmpeg can do better job.... so can you please stop suggesting obsoleted broked packages to used to test something.
CC: (none) => ozkyster
(In reply to Otto Leipälä from comment #5) > No as it's broken and dropped and vlc can do same or k9copy or mencoder or > ffmpeg can do better job.... so can you please stop suggesting obsoleted > broked packages to used to test something. The attitude is uncalled for. I didn't know arista was broken, and the point was to try and find something that would actually use the affected file in this update. I don't think *any* of those things you mentioned use gstreamer0.10, so your comment is not helpful.
Looking over the files to be updated and used I found the following gstreamer files installed: urpmq --whatrequires gstreamer0.10-x y gstreamer0.10-plugins-bad-0.10.23-14.1.mga4 y libgstphotography0.10_0-0.10.23-14.1.mga4 n libgstvdp0.10_0-0.10.23-14.1.mga4 n libgstphotography-devel-0.10.23-14.1.mga4 y libgstbasevideo0.10_0-0.10.23-14.1.mga4 n libgstbasevideo-devel-0.10.23-14.1.mga4 n gstreamer0.10-curl-0.10.23-14.1.mga4 n gstreamer0.10-dc1394-0.10.23-14.1.mga4 n gstreamer0.10-ofa-0.10.23-14.1.mga4 n gstreamer0.10-wildmidi-0.10.23-14.1.mga4 y gstreamer0.10-mpeg2enc-0.10.23-14.1.mga4 n gstreamer0.10-gme-0.10.23-14.1.mga4 n gstreamer0.10-dirac-0.10.23-14.1.mga4 n gstreamer0.10-schroedinger-0.10.23-14.1.mga4 n gstreamer0.10-vp8-0.10.23-14.1.mga4 n gstreamer0.10-ladspa-0.10.23-14.1.mga4 y gstreamer0.10-dts-0.10.23-14.1.mga4 y gstreamer0.10-xvid-0.10.23-14.1.mga4 y gstreamer0.10-musepack-0.10.23-14.1.mga4 y gstreamer0.10-mms-0.10.23-14.1.mga4 radiotray n gstreamer0.10-rtmp-0.10.23-14.1.mga4 n gstreamer0.10-directfb-0.10.23-14.1.mga4 n gstreamer0.10-soundtouch-0.10.23-14.1.mga4 n gstreamer0.10-kate-0.10.23-14.1.mga4 n gstreamer0.10-libass-0.10.23-14.1.mga4 n gstreamer0.10-resindvd-0.10.23-14.1.mga4 y gstreamer0.10-voip-0.10.23-14.1.mga4 n gstreamer0.10-cog-0.10.23-14.1.mga4 n gstreamer0.10-plugins-bad-doc-0.10.23-14.1.mga4 n gstreamer0.10-plugins-bad-debuginfo-0.10.23-14.1.mga4 n gstreamer0.10-vdpau-0.10.23-14.1.mga4 y gstreamer0.10-faad-0.10.23-14.1.mga4 radiotray y gstreamer0.10-gsm-0.10.23-14.1.mga4 y gstreamer0.10-neon-0.10.23-14.1.mga4 n gstreamer0.10-nas-0.10.23-14.1.mga4 n gstreamer0.10-jp2k-0.10.23-14.1.mga4 n gstreamer0.10-celt-0.10.23-14.1.mga4 n gstreamer0.10-rsvg-0.10.23-14.1.mga4 gstreamer0.10-soup-0.10.31-6.mga4.i586 is installed with Radiotray
In VirtualBox, M4, KDE, 32-bit Package(s) under test: gstreamer0.10-plugins-bad gstreamer0.10-mpeg2enc gstreamer0.10-dts gstreamer0.10-xvid gstreamer0.10-musepack gstreamer0.10-mms gstreamer0.10-voip gstreamer0.10-faad gstreamer0.10-gsm gstreamer0.10-neon gstreamer0.10-soup default install of gstreamer0.10-plugins-bad gstreamer0.10-mpeg2enc gstreamer0.10-dts gstreamer0.10-xvid gstreamer0.10-musepack gstreamer0.10-mms gstreamer0.10-voip gstreamer0.10-faad gstreamer0.10-gsm gstreamer0.10-neon gstreamer0.10-soup [root@localhost wilcal]# urpmi gstreamer0.10-plugins-bad Package gstreamer0.10-plugins-bad-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mpeg2enc Package gstreamer0.10-mpeg2enc-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-dts Package gstreamer0.10-dts-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-xvid Package gstreamer0.10-xvid-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-musepack Package gstreamer0.10-musepack-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mms Package gstreamer0.10-mms-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-voip Package gstreamer0.10-voip-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-faad Package gstreamer0.10-faad-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-gsm Package gstreamer0.10-gsm-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-neon Package gstreamer0.10-neon-0.10.23-14.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-soup Package gstreamer0.10-soup-0.10.31-6.mga4.i586 is already installed Radiotray works. Openshot can encode an xvid mp4 video. install gstreamer0.10-plugins-bad gstreamer0.10-mpeg2enc gstreamer0.10-dts gstreamer0.10-xvid gstreamer0.10-musepack gstreamer0.10-mms gstreamer0.10-voip gstreamer0.10-faad gstreamer0.10-gsm gstreamer0.10-neon gstreamer0.10-soup from updates_testing [root@localhost wilcal]# urpmi gstreamer0.10-plugins-bad Package gstreamer0.10-plugins-bad-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mpeg2enc Package gstreamer0.10-mpeg2enc-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-dts Package gstreamer0.10-dts-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-xvid Package gstreamer0.10-xvid-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-musepack Package gstreamer0.10-musepack-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mms Package gstreamer0.10-mms-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-voip Package gstreamer0.10-voip-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-faad Package gstreamer0.10-faad-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-gsm Package gstreamer0.10-gsm-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-neon Package gstreamer0.10-neon-0.10.23-14.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-soup Package gstreamer0.10-soup-0.10.31-6.mga4.i586 is already installed Radiotray works. Openshot can encode an xvid mp4 video. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: gstreamer0.10-plugins-bad gstreamer0.10-mpeg2enc gstreamer0.10-dts gstreamer0.10-xvid gstreamer0.10-musepack gstreamer0.10-mms gstreamer0.10-voip gstreamer0.10-faad gstreamer0.10-gsm gstreamer0.10-neon gstreamer0.10-soup radiotray default install of gstreamer0.10-plugins-bad gstreamer0.10-mpeg2enc gstreamer0.10-dts gstreamer0.10-xvid gstreamer0.10-musepack gstreamer0.10-mms gstreamer0.10-voip gstreamer0.10-faad gstreamer0.10-gsm gstreamer0.10-neon gstreamer0.10-soup radiotray [root@localhost wilcal]# urpmi gstreamer0.10-plugins-bad Package gstreamer0.10-plugins-bad-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mpeg2enc Package gstreamer0.10-mpeg2enc-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-dts Package gstreamer0.10-dts-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-xvid Package gstreamer0.10-xvid-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-musepack Package gstreamer0.10-musepack-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mms Package gstreamer0.10-mms-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-voip Package gstreamer0.10-voip-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-faad Package gstreamer0.10-faad-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-gsm Package gstreamer0.10-gsm-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-neon Package gstreamer0.10-neon-0.10.23-14.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-soup Package gstreamer0.10-soup-0.10.31-6.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi radiotray Package radiotray-0.7.3-5.mga4.tainted.noarch is already installed Radiotray works. Openshot can encode an xvid mp4 video. install gstreamer0.10-plugins-bad gstreamer0.10-mpeg2enc gstreamer0.10-dts gstreamer0.10-xvid gstreamer0.10-musepack gstreamer0.10-mms gstreamer0.10-voip gstreamer0.10-faad gstreamer0.10-gsm gstreamer0.10-neon gstreamer0.10-soup from updates_testing [root@localhost wilcal]# urpmi gstreamer0.10-plugins-bad Package gstreamer0.10-plugins-bad-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mpeg2enc Package gstreamer0.10-mpeg2enc-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-dts Package gstreamer0.10-dts-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-xvid Package gstreamer0.10-xvid-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-musepack Package gstreamer0.10-musepack-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-mms Package gstreamer0.10-mms-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-voip Package gstreamer0.10-voip-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-faad Package gstreamer0.10-faad-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-gsm Package gstreamer0.10-gsm-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-neon Package gstreamer0.10-neon-0.10.23-14.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi gstreamer0.10-soup Package gstreamer0.10-soup-0.10.31-6.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi radiotray Package radiotray-0.7.3-5.mga4.tainted.noarch is already installed Radiotray works. Openshot can encode an xvid mp4 video. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.26-1.mga4.x86_64 virtualbox-guest-additions-4.3.26-1.mga4.x86_64
Maybe this is a close as we can get to testing this thing. gstreamer0.10-voip seems to be the only thing really getting updated. Radiotray seems to be the only thing that is close to being effected. Everything installs correctly. OpenShot works fine before and after but I don't think that is in play here.
I think you can validate it.
It's outta here. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
(In reply to David Walser from comment #6) > (In reply to Otto Leipälä from comment #5) > > No as it's broken and dropped and vlc can do same or k9copy or mencoder or > > ffmpeg can do better job.... so can you please stop suggesting obsoleted > > broked packages to used to test something. > > The attitude is uncalled for. I didn't know arista was broken, and the > point was to try and find something that would actually use the affected > file in this update. I don't think *any* of those things you mentioned use > gstreamer0.10, so your comment is not helpful. Oh yes that explain why you did recommend arista and yes my post is not helpful. Radiotray and gnash seems to be only programs what requires old gstreamer 0.10. urpmq --whatrequires gstreamer0.10-plugins-bad gnash gstreamer0.10-plugins-bad radiotray radiotray
(In reply to Otto Leipälä from comment #13) > Radiotray and gnash seems to be only programs what requires old gstreamer > 0.10. Not quite true. Most packages that can use this will not require plugins-bad explicitly. As long as they use gstreamer0.10 itself, they can use the plugins-bad (or any other plugins) if they are installed.
Ok thaks for clearing this out.
Advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0188.html
Status: NEW => RESOLVEDResolution: (none) => FIXED