CVEs have been assigned for several security issues fixed in gstreamer 1.10.3: http://openwall.com/lists/oss-security/2017/02/02/9 One of those is in the gstreamer core. Mageia 5 may be affected.
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => fundawang
URL: (none) => https://lwn.net/Vulnerabilities/713776/
Assignee: fundawang => shlomif
openSUSE has issued an advisory for this on April 18: https://lists.opensuse.org/opensuse-updates/2017-04/msg00058.html
pushed in updates_testing src.rpm: gstreamer1.0-1.4.3-2.1.mga5
CC: (none) => mageiaAssignee: shlomif => qa-bugs
Advisory: ======================== Updated gstreamer1.0 packages fix security vulnerability: A crafted AVI file could have caused an invalid memory read, possibly causing DoS or corruption (CVE-2017-5838). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5838 https://lists.opensuse.org/opensuse-updates/2017-04/msg00058.html ======================== Updated packages in core/updates_testing: ======================== gstreamer1.0-tools-1.4.3-2.1.mga5 libgstreamer1.0_0-1.4.3-2.1.mga5 libgst-gir1.0-1.4.3-2.1.mga5 libgstreamer1.0-devel-1.4.3-2.1.mga5 from gstreamer1.0-1.4.3-2.1.mga5.src.rpm
Installed and tested without issues. Tested using gst-play-1.0 to play dozens of video and audio files, including local and remote (http) files, using a variety of codecs. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep gst.*1\.0 | sort gstreamer1.0-libav-1.4.3-4.mga5 gstreamer1.0-plugins-bad-1.4.3-2.mga5.tainted gstreamer1.0-plugins-base-1.4.3-2.2.mga5 gstreamer1.0-plugins-good-1.4.3-2.2.mga5 gstreamer1.0-plugins-ugly-1.4.3-2.mga5.tainted gstreamer1.0-pulse-1.4.3-2.2.mga5 gstreamer1.0-soup-1.4.3-2.2.mga5 gstreamer1.0-tools-1.4.3-2.1.mga5 lib64gstbadbase1.0_0-1.4.3-2.mga5.tainted lib64gstbadvideo1.0_0-1.4.3-2.mga5.tainted lib64gstbasecamerabinsrc1.0_0-1.4.3-2.mga5.tainted lib64gstcodecparsers1.0_0-1.4.3-2.mga5.tainted lib64gstgl1.0_0-1.4.3-2.mga5.tainted lib64gstmpegts1.0_0-1.4.3-2.mga5.tainted lib64gstphotography1.0_0-1.4.3-2.mga5.tainted lib64gstreamer1.0_0-1.4.3-2.1.mga5 lib64gstreamer1.0-devel-1.4.3-2.1.mga5 lib64gstreamer-plugins-base1.0_0-1.4.3-2.2.mga5 lib64gstreamer-plugins-base1.0-devel-1.4.3-2.2.mga5 lib64gsturidownloader1.0_0-1.4.3-2.mga5.tainted lib64gstwayland1.0_0-1.4.3-2.mga5.tainted lib64qtgstreamer1.0_0-1.2.0-2.mga5 lib64qtgstreamerutils1.0_0-1.2.0-2.mga5 packagekit-gstreamer-plugin-1.0.6-0.4.1.mga5
CC: (none) => mageiaWhiteboard: (none) => MGA5-64-OK
Thanks PC_LX for this test. Validating with just 1 good test as per current policy.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0300.html
Status: NEW => RESOLVEDResolution: (none) => FIXED