CVEs have been assigned for several security issues fixed in gstreamer 1.10.3: http://openwall.com/lists/oss-security/2017/02/02/9 Two of those affect plugins-bad. The second one actually wasn't fixed in 1.10.3. I'm not sure if a fix has been committed for it yet, but one is proposed in the upstream bug. Mageia 5 may also be affected by these.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
URL: (none) => https://lwn.net/Vulnerabilities/713772/
gstreamer0.10-plugins-bad also affected: https://lwn.net/Vulnerabilities/713772/
Assignee: pkg-bugs => shlomif
CVE-2016-9809, CVE-2016-9812, CVE-2016-9813 also addressed by this Debian update: https://www.debian.org/security/2017/dsa-3818
openSUSE has issued an advisory for this on April 18: https://lists.opensuse.org/opensuse-updates/2017-04/msg00059.html
Note that there are core and tainted builds for these packages. The Mageia 6 tainted build isn't available yet because the build system was never fixed. Advisory (Mageia 5): ======================== Updated gstreamer0.10-plugins-bad and gstreamer1.0-plugins-bad packages fix security vulnerabilities: Chris Evans discovered that the GStreamer plugin to decode VMware screen capture files allowed the execution of arbitrary code (CVE-2016-9445, CVE-2016-9446). Chris Evans discovered that the GStreamer 0.10 plugin to decode NES Sound Format files allowed the execution of arbitrary code (CVE-2016-9447). Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813, CVE-2017-5843, CVE-2017-5848). The gstreamer0.10-plugins-bad package was affected by CVE-2016-9445, CVE-2016-9446, CVE-2016-9447, CVE-2016-9809, CVE-2017-5843, and CVE-2017-5848). The gstreamer1.0-plugins-bad package was affected by CVE-2016-9445, CVE-2016-9446, CVE-2016-9809, CVE-2016-9812, CVE-2016-9813, CVE-2017-5843, and CVE-2017-5848. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9445 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9446 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9809 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9812 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848 http://openwall.com/lists/oss-security/2016/11/18/13 https://www.debian.org/security/2016/dsa-3713 https://www.debian.org/security/2016/dsa-3717 https://www.debian.org/security/2017/dsa-3818 ======================== Updated packages in {core,tainted}/updates_testing: ======================== gstreamer0.10-plugins-bad-0.10.23-22.2.mga5 libgstphotography0.10_0-0.10.23-22.2.mga5 libgstvdp0.10_0-0.10.23-22.2.mga5 libgstphotography-devel-0.10.23-22.2.mga5 libgstbasevideo0.10_0-0.10.23-22.2.mga5 libgstbasevideo-devel-0.10.23-22.2.mga5 gstreamer0.10-curl-0.10.23-22.2.mga5 gstreamer0.10-dc1394-0.10.23-22.2.mga5 gstreamer0.10-ofa-0.10.23-22.2.mga5 gstreamer0.10-wildmidi-0.10.23-22.2.mga5 gstreamer0.10-mpeg2enc-0.10.23-22.2.mga5 gstreamer0.10-gme-0.10.23-22.2.mga5 gstreamer0.10-dirac-0.10.23-22.2.mga5 gstreamer0.10-schroedinger-0.10.23-22.2.mga5 gstreamer0.10-vp8-0.10.23-22.2.mga5 gstreamer0.10-ladspa-0.10.23-22.2.mga5 gstreamer0.10-musepack-0.10.23-22.2.mga5 gstreamer0.10-mms-0.10.23-22.2.mga5 gstreamer0.10-rtmp-0.10.23-22.2.mga5 gstreamer0.10-directfb-0.10.23-22.2.mga5 gstreamer0.10-soundtouch-0.10.23-22.2.mga5 gstreamer0.10-kate-0.10.23-22.2.mga5 gstreamer0.10-libass-0.10.23-22.2.mga5 gstreamer0.10-resindvd-0.10.23-22.2.mga5 gstreamer0.10-voip-0.10.23-22.2.mga5 gstreamer0.10-cog-0.10.23-22.2.mga5 gstreamer0.10-plugins-bad-doc-0.10.23-22.2.mga5 gstreamer0.10-plugins-bad-debuginfo-0.10.23-22.2.mga5 gstreamer0.10-vdpau-0.10.23-22.2.mga5 gstreamer0.10-gsm-0.10.23-22.2.mga5 gstreamer0.10-neon-0.10.23-22.2.mga5 gstreamer0.10-nas-0.10.23-22.2.mga5 gstreamer0.10-jp2k-0.10.23-22.2.mga5 gstreamer0.10-celt-0.10.23-22.2.mga5 gstreamer0.10-rsvg-0.10.23-22.2.mga5 gstreamer1.0-plugins-bad-1.4.3-2.1.mga5 libgstphotography1.0_0-1.4.3-2.1.mga5 libgstcodecparsers1.0_0-1.4.3-2.1.mga5 libgstbasecamerabinsrc1.0_0-1.4.3-2.1.mga5 libgstbadbase1.0_0-1.4.3-2.1.mga5 libgstbadvideo1.0_0-1.4.3-2.1.mga5 libgstgl1.0_0-1.4.3-2.1.mga5 libgstwayland1.0_0-1.4.3-2.1.mga5 libgstinsertbin1.0_0-1.4.3-2.1.mga5 libgstmpegts1.0_0-1.4.3-2.1.mga5 libgsturidownloader1.0_0-1.4.3-2.1.mga5 libgstreamer-plugins-bad1.0-devel-1.4.3-2.1.mga5 gstreamer1.0-curl-1.4.3-2.1.mga5 gstreamer1.0-mpeg2enc-1.4.3-2.1.mga5 gstreamer1.0-gme-1.4.3-2.1.mga5 gstreamer1.0-schroedinger-1.4.3-2.1.mga5 gstreamer1.0-mms-1.4.3-2.1.mga5 gstreamer1.0-rtmp-1.4.3-2.1.mga5 gstreamer1.0-soundtouch-1.4.3-2.1.mga5 gstreamer1.0-libass-1.4.3-2.1.mga5 gstreamer1.0-opencv-1.4.3-2.1.mga5 gstreamer1.0-wildmidi-1.4.3-2.1.mga5 gstreamer1.0-plugins-bad-doc-1.4.3-2.1.mga5 libgstreamer-plugins-bad-gir1.0-1.4.3-2.1.mga5 gstreamer1.0-plugins-bad-debuginfo-1.4.3-2.1.mga5 gstreamer1.0-gsm-1.4.3-2.1.mga5 gstreamer1.0-dash-1.4.3-2.1.mga5 gstreamer1.0-directfb-1.4.3-2.1.mga5 gstreamer1.0-fluidsynth-1.4.3-2.1.mga5 gstreamer1.0-ladspa-1.4.3-2.1.mga5 gstreamer1.0-neon-1.4.3-2.1.mga5 gstreamer1.0-ofa-1.4.3-2.1.mga5 gstreamer1.0-sbc-1.4.3-2.1.mga5 gstreamer1.0-smoothstreaming-1.4.3-2.1.mga5 gstreamer1.0-spandsp-1.4.3-2.1.mga5 gstreamer1.0-srtp-1.4.3-2.1.mga5 from SRPMS: gstreamer0.10-plugins-bad-0.10.23-22.2.mga5.src.rpm gstreamer1.0-plugins-bad-1.4.3-2.1.mga5.src.rpm Advisory (Mageia 6): ======================== Updated gstreamer0.10-plugins-bad packages fix security vulnerabilities: Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened (CVE-2016-9809, CVE-2017-5843, CVE-2017-5848). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9809 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5843 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848 https://www.debian.org/security/2017/dsa-3818 ======================== Updated packages in {core,tainted}/updates_testing: ======================== gstreamer0.10-plugins-bad-0.10.23-35.1.mga6 libgstphotography0.10_0-0.10.23-35.1.mga6 libgstvdp0.10_0-0.10.23-35.1.mga6 libgstphotography-devel-0.10.23-35.1.mga6 libgstbasevideo0.10_0-0.10.23-35.1.mga6 libgstbasevideo-devel-0.10.23-35.1.mga6 gstreamer0.10-curl-0.10.23-35.1.mga6 gstreamer0.10-dc1394-0.10.23-35.1.mga6 gstreamer0.10-ofa-0.10.23-35.1.mga6 gstreamer0.10-wildmidi-0.10.23-35.1.mga6 gstreamer0.10-mpeg2enc-0.10.23-35.1.mga6 gstreamer0.10-gme-0.10.23-35.1.mga6 gstreamer0.10-dirac-0.10.23-35.1.mga6 gstreamer0.10-schroedinger-0.10.23-35.1.mga6 gstreamer0.10-vp8-0.10.23-35.1.mga6 gstreamer0.10-ladspa-0.10.23-35.1.mga6 gstreamer0.10-musepack-0.10.23-35.1.mga6 gstreamer0.10-mms-0.10.23-35.1.mga6 gstreamer0.10-rtmp-0.10.23-35.1.mga6 gstreamer0.10-soundtouch-0.10.23-35.1.mga6 gstreamer0.10-kate-0.10.23-35.1.mga6 gstreamer0.10-libass-0.10.23-35.1.mga6 gstreamer0.10-resindvd-0.10.23-35.1.mga6 gstreamer0.10-voip-0.10.23-35.1.mga6 gstreamer0.10-cog-0.10.23-35.1.mga6 gstreamer0.10-plugins-bad-doc-0.10.23-35.1.mga6 gstreamer0.10-plugins-bad-debuginfo-0.10.23-35.1.mga6 gstreamer0.10-vdpau-0.10.23-35.1.mga6 gstreamer0.10-gsm-0.10.23-35.1.mga6 gstreamer0.10-neon-0.10.23-35.1.mga6 gstreamer0.10-nas-0.10.23-35.1.mga6 gstreamer0.10-jp2k-0.10.23-35.1.mga6 gstreamer0.10-celt-0.10.23-35.1.mga6 gstreamer0.10-rsvg-0.10.23-35.1.mga6 from gstreamer0.10-plugins-bad-0.10.23-35.1.mga6.src.rpm
Assignee: shlomif => qa-bugsBlocks: (none) => 19802, 19814Version: 5 => 6Whiteboard: (none) => MGA5TOOCC: (none) => pterjan
Mageia 6 tainted build is building now.
QA leaders, when adding the advisories in SVN, please add to the references for the Mageia 5 advisory bugs 19802, 19814, and 20238 (this bug). The advisory for Mageia 6 should only list this bug.
To prioritise.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Tested using radiotray and parole, first without tainted (had to turn off XV in parole), then with the tainted versions. Ok for Mageia 5.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK MGA5-64-OK
Same testing with Mageia 6 ok. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0012.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0013.html