CVEs have been assigned for several security issues fixed in gstreamer 1.10.3: http://openwall.com/lists/oss-security/2017/02/02/9 Four of those affect plugins-base. Mageia 5 may be affected.
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => fundawang
URL: (none) => https://lwn.net/Vulnerabilities/713773/
gstreamer0.10-plugins-base also affected: https://lwn.net/Alerts/714996/
Assignee: fundawang => shlomif
openSUSE has issued an advisory on April 20: https://lists.opensuse.org/opensuse-updates/2017-04/msg00084.html
Pushed in updates_testing src.rpm: gstreamer1.0-plugins-base-1.4.3-2.2.mga5 gstreamer0.10-plugins-base-0.10.36-9.2.mga5
CC: (none) => mageiaAssignee: shlomif => qa-bugs
Advisory: ======================== Updated gstreamer0.10-plugins-base and gstreamer1.0-plugins-base packages fix security vulnerabilities: Denial of service in GStreamer base plugins can be caused by floating point exceptions (CVE-2017-5837, CVE-2017-5844), stack overflow (CVE-2017-5839), or out-of-bounds heap read (CVE-2017-5842). Note that GStreamer 0.10 was only affected by the floating point exceptions. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5837 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5839 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5842 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5844 http://openwall.com/lists/oss-security/2017/02/02/9 https://lwn.net/Alerts/714996/ ======================== Updated packages in core/updates_testing: ======================== gstreamer0.10-plugins-base-0.10.36-9.2.mga5 gstreamer0.10-plugins-base-debuginfo-0.10.36-9.2.mga5 libgstreamer-plugins-base0.10_0-0.10.36-9.2.mga5 libgstreamer-plugins-base-gir0.10-0.10.36-9.2.mga5 libgstreamer-plugins-base0.10-devel-0.10.36-9.2.mga5 gstreamer0.10-gnomevfs-0.10.36-9.2.mga5 gstreamer0.10-cdparanoia-0.10.36-9.2.mga5 gstreamer0.10-libvisual-0.10.36-9.2.mga5 gstreamer1.0-plugins-base-1.4.3-2.2.mga5 gstreamer1.0-plugins-base-debuginfo-1.4.3-2.2.mga5 libgstreamer-plugins-base1.0_0-1.4.3-2.2.mga5 libgstreamer-plugins-base-gir1.0-1.4.3-2.2.mga5 libgstreamer-plugins-base1.0-devel-1.4.3-2.2.mga5 gstreamer1.0-cdparanoia-1.4.3-2.2.mga5 gstreamer1.0-libvisual-1.4.3-2.2.mga5 from SRPMS: gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm
Installed and tested without issues. NOTICE: Only tested the gstreamer1.0 packages. Tested using gst-play-1.0 to play dozens of video and audio files, including local and remote (http) files, using a variety of codecs. Have to look in to a practical way to test the gstreamer0.10 packages. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep gst.*1\.0 | sort gstreamer1.0-libav-1.4.3-4.mga5 gstreamer1.0-plugins-bad-1.4.3-2.mga5.tainted gstreamer1.0-plugins-base-1.4.3-2.2.mga5 gstreamer1.0-plugins-good-1.4.3-2.2.mga5 gstreamer1.0-plugins-ugly-1.4.3-2.mga5.tainted gstreamer1.0-pulse-1.4.3-2.2.mga5 gstreamer1.0-soup-1.4.3-2.2.mga5 gstreamer1.0-tools-1.4.3-2.1.mga5 lib64gstbadbase1.0_0-1.4.3-2.mga5.tainted lib64gstbadvideo1.0_0-1.4.3-2.mga5.tainted lib64gstbasecamerabinsrc1.0_0-1.4.3-2.mga5.tainted lib64gstcodecparsers1.0_0-1.4.3-2.mga5.tainted lib64gstgl1.0_0-1.4.3-2.mga5.tainted lib64gstmpegts1.0_0-1.4.3-2.mga5.tainted lib64gstphotography1.0_0-1.4.3-2.mga5.tainted lib64gstreamer1.0_0-1.4.3-2.1.mga5 lib64gstreamer1.0-devel-1.4.3-2.1.mga5 lib64gstreamer-plugins-base1.0_0-1.4.3-2.2.mga5 lib64gstreamer-plugins-base1.0-devel-1.4.3-2.2.mga5 lib64gsturidownloader1.0_0-1.4.3-2.mga5.tainted lib64gstwayland1.0_0-1.4.3-2.mga5.tainted lib64qtgstreamer1.0_0-1.2.0-2.mga5 lib64qtgstreamerutils1.0_0-1.2.0-2.mga5 packagekit-gstreamer-plugin-1.0.6-0.4.1.mga5
CC: (none) => mageia
@PC LX You could try gnash for shockwave flash files. strace shows that it opens the lib64gstreamer0.1 library. $ strace gnash Cassini_Saturn_flyover.swf 2> gnash.trace$ cat gnash.trace | grep gstreamer open("/usr/lib64/gnash/libgstreamer-0.10.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) open("/lib64/libgstreamer-0.10.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libgstreamer-0.10.so.0.30.0", O_RDONLY) = 4 That was without updating. lightspark uses gnash but I could not get a proper trace on that. Oddly, gnash does not seem to be supported on mga6.
CC: (none) => tarazed25
That should read: $ strace gnash Cassini_Saturn_flyover.swf 2> gnash.trace $ cat gnash.trace | grep gstreamer
MGA5-32 on Asus A6000VM Xfce No installation issues. traced parole in playing .wav and mpg, and gnash to play swf. All parole traces show: open("/lib/libgstreamer-1.0.so.0", O_RDONLY|O_CLOEXEC) = 3 Seems OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Making this official for the 0.10 plugins on mga5::x86_64. $ strace gnash surfacefly_spirit.swf 2> gnash.trace The shockwave flash video played through OK. In the trace there were dozens of gstreamer-0.10 references and lines like this: openat(AT_FDCWD, "/usr/lib64/gstreamer-0.10", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 7 totem uses the gstreamer1.0 plugins and plays MP4, mkv, wmv and MOV files. Good for 64 bits based on these tests and those of comment 6. Thanks PC LX.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm) â (5/core/gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm) 'validated_update' keyword reset.
Keywords: validated_update => (none)
(In reply to Nicolas Lécureuil from comment #11) > Update ID assignment failed > > Checking for QA validation keyword⦠â > Checking dependent bugs⦠â (None found) > Checking SRPMs⦠â > (5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm) â > (5/core/gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm) > > > 'validated_update' keyword reset. I just double checked and those SRPMS names are correct. Why did the script fail?
(In reply to Nicolas Lécureuil from comment #11) > Update ID assignment failed > Checking for QA validation keyword⦠â > Checking dependent bugs⦠â (None found) > Checking SRPMs⦠â > (5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm) â > (5/core/gstreamer1.0-plugins-base-1.4.3-2.2.mga5.src.rpm) > 'validated_update' keyword reset. @Nicolas In the light of David's confirmation above - what is the problem? Is there anything I can do to be shot of this?
are .src.rpm needed in the advisory ? i doubt it i think this should be 5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5 instead of 5/core/gstreamer0.10-plugins-base-0.10.36-9.2.mga5.src.rpm ( and the same for the other one )
Thanks for the pointer. Of course. Basic; Advisory-drunk, I guess. I have corrected it. BTW In future, where the advisory is wrong, it is better to *leave* 'validated update' and *clear* 'advisory'. We are agreed to have validated updates awaiting their advisories; this removes them from the main list.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0320.html
Status: NEW => RESOLVEDResolution: (none) => FIXED