A CVE has been assigned for a security issue fixed in gst-plugins-base 1.10.2: http://openwall.com/lists/oss-security/2016/12/05/8
Assigning to maintainer, but CC'ing all packagers collectively, because the maintainer might be unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => fundawang
Debian-LTS has issued an advisory for this on December 8: https://lwn.net/Alerts/708489/
URL: (none) => https://lwn.net/Vulnerabilities/708525/Summary: gstreamer1.0-plugins-base new security issue CVE-2016-9811 => gstreamer0.10-plugins-base, gstreamer1.0-plugins-base new security issue CVE-2016-9811
gstreamer1.0-plugins-base in Cauldron has been updated to 1.10.2, fixing this. For the rest, patched packages uploaded for Mageia 5 and Cauldron. PoC on upstream bug, but requires ASAN: https://bugzilla.gnome.org/show_bug.cgi?id=774902 Testing that this installs clean should be sufficient. Advisory: ======================== Updated gstreamer0.10-plugins-base and gstreamer1.0-plugins-base packages fix security vulnerability: Out of bounds heap read in windows_icon_typefind() in gst/typefind/gsttypefindfunctions.c (CVE-2016-9811). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9811 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NIQWTZZVALYH454SGHKELGLZHRLOI6L6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PB7J5MNSC6B347P3DG7V6OPLUJCRYM5Z/ ======================== Updated packages in core/updates_testing: ======================== gstreamer0.10-plugins-base-0.10.36-9.1.mga5 libgstreamer-plugins-base0.10_0-0.10.36-9.1.mga5 libgstreamer-plugins-base-gir0.10-0.10.36-9.1.mga5 libgstreamer-plugins-base0.10-devel-0.10.36-9.1.mga5 gstreamer0.10-gnomevfs-0.10.36-9.1.mga5 gstreamer0.10-cdparanoia-0.10.36-9.1.mga5 gstreamer0.10-libvisual-0.10.36-9.1.mga5 gstreamer1.0-plugins-base-1.4.3-2.1.mga5 libgstreamer-plugins-base1.0_0-1.4.3-2.1.mga5 libgstreamer-plugins-base-gir1.0-1.4.3-2.1.mga5 libgstreamer-plugins-base1.0-devel-1.4.3-2.1.mga5 gstreamer1.0-cdparanoia-1.4.3-2.1.mga5 gstreamer1.0-libvisual-1.4.3-2.1.mga5 from SRPMS: gstreamer0.10-plugins-base-0.10.36-9.1.mga5.src.rpm gstreamer1.0-plugins-base-1.4.3-2.1.mga5.src.rpm
Version: Cauldron => 5Assignee: fundawang => qa-bugs
This installed cleanly on x86_64 real hardware. The packages have a lot of connections according to 'urpmq --requires-recursive' which makes it difficult to figure out what to test it against so it is best to take David's advice and simply rely on a clean installation and watch the system. Ignoring the PoC as well, noting the requirement for ASAN. Good for 64 bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
i586 virtualbox installation test Packages already installed: gstreamer0.10-plugins libgstreamer-plugins-base0.10_0 gstreamer0.10-gnomevfs gstreamer1.0-plugins-base libgstreamer-plugins-base1.0_0 gstreamer1.0-cdparanoia Packages installed before update: libgstreamer-plugins-base-gir0.10-0.10.36 9.mga5 libgst-gir0.10 0.10.36 12.mga5 libgstreamer-plugins-base0.10 0.10.36 9.mga5 libgstreamer0.10-devel 0.10.36 12.mga liborc-devel 0.4.22 3.mga5 orc 0.4.22 3.mga5 gstreamer0.10-cdparanoia 0.10.36 9.mga5 gstreamer0.10-libvisual 0.10.36 9.mga5 libvisual-plugins 0.4.0 20.mga5 libvisual0 0.4.0 17.mga5 libgst-gir1.0 1.4.3 2.mga5 libgstreamer-plugins-base1.0 1.4.3 2.mga5 libgstreamer1.0-devel 1.4.3 2.mga5 gstreamer1.0-libvisual 1.4.3 2.mga5 I had already looked at the PoC targa file and apart from the lack of ASAN there was no obvious way of running it. Any image viewers simply failed to read it as a targa file. Had to change mirror after enabling Updates Testing... Packages offered: gstreamer0.10-cdparanoia 0.10.36 9.1.mga5 i586 gstreamer0.10-gnomevfs 0.10.36 9.1.mga5 i586 gstreamer0.10-libvisual 0.10.36 9.1.mga5 i586 gstreamer0.10-plugins-base 0.10.36 9.1.mga5 i586 libgstreamer-plugins-base-gir> 0.10.36 9.1.mga5 i586 libgstreamer-plugins-base0.10> 0.10.36 9.1.mga5 i586 libgstreamer-plugins-base0.10> 0.10.36 9.1.mga5 i586 These were added at installation time: gstreamer1.0-cdparanoia 1.4.3 2.1.mga5 i586 gstreamer1.0-libvisual 1.4.3 2.1.mga5 i586 gstreamer1.0-plugins-base 1.4.3 2.1.mga5 i586 libgstreamer-plugins-base1.0-> 1.4.3 2.1.mga5 i586 libgstreamer-plugins-base1.0_0 1.4.3 2.1.mga5 i586 Everything installed cleanly.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Validated & advisoried.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0021.html
Status: NEW => RESOLVEDResolution: (none) => FIXED