CVEs have been assigned for several security issues fixed in gstreamer 1.10.3: http://openwall.com/lists/oss-security/2017/02/02/9 Two of those affect plugins-ugly. The second one actually wasn't fixed in 1.10.3, but a fix has been committed for it since. Mageia 5 may also be affected by these.
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => fundawang
URL: (none) => https://lwn.net/Vulnerabilities/713775/
gstreamer0.10-plugins-ugly also affected: https://lwn.net/Vulnerabilities/713775/
Assignee: fundawang => shlomif
Note that there are core and tainted builds for these packages. The Mageia 6 tainted build isn't available yet because the build system was never fixed. Advisory (Mageia 5): ======================== Updated gstreamer0.10-plugins-ugly and gstreamer1.0-plugins-ugly packages fix security vulnerabilities: Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened (CVE-2017-5846, CVE-2017-5847). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5846 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847 https://lwn.net/Alerts/714998/ https://www.debian.org/security/2017/dsa-3821 ======================== Updated packages in {core,tainted}/updates_testing: ======================== gstreamer0.10-plugins-ugly-0.10.19-14.2.mga5 gstreamer0.10-plugins-ugly-debuginfo-0.10.19-14.2.mga5 gstreamer0.10-sid-0.10.19-14.2.mga5 gstreamer0.10-a52dec-0.10.19-14.2.mga5 gstreamer0.10-mpeg-0.10.19-14.2.mga5 gstreamer0.10-cdio-0.10.19-14.2.mga5 gstreamer0.10-twolame-0.10.19-14.2.mga5 gstreamer1.0-plugins-ugly-1.4.3-2.1.mga5 gstreamer1.0-plugins-ugly-debuginfo-1.4.3-2.1.mga5 gstreamer1.0-sid-1.4.3-2.1.mga5 gstreamer1.0-a52dec-1.4.3-2.1.mga5 gstreamer1.0-mpeg-1.4.3-2.1.mga5 gstreamer1.0-cdio-1.4.3-2.1.mga5 from SRPMS: gstreamer0.10-plugins-ugly-0.10.19-14.2.mga5.src.rpm gstreamer1.0-plugins-ugly-1.4.3-2.1.mga5.src.rpm Advisory (Mageia 6): ======================== Updated gstreamer0.10-plugins-ugly packages fix security vulnerabilities: Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened (CVE-2017-5846, CVE-2017-5847). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5846 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847 https://lwn.net/Alerts/714998/ https://www.debian.org/security/2017/dsa-3821 ======================== Updated packages in {core,tainted}/updates_testing: ======================== gstreamer0.10-plugins-ugly-0.10.19-18.1.mga6 gstreamer0.10-plugins-ugly-debuginfo-0.10.19-18.1.mga6 gstreamer0.10-lame-0.10.19-18.1.mga6 gstreamer0.10-sid-0.10.19-18.1.mga6 gstreamer0.10-a52dec-0.10.19-18.1.mga6 gstreamer0.10-mpeg-0.10.19-18.1.mga6 gstreamer0.10-cdio-0.10.19-18.1.mga6 gstreamer0.10-twolame-0.10.19-18.1.mga from gstreamer0.10-plugins-ugly-0.10.19-18.1.mga6.src.rpm
Version: 5 => 6Whiteboard: (none) => MGA5TOOAssignee: shlomif => qa-bugs
The tainted builds should be on their way shortly.
To prioritise.
CC: (none) => davidwhodginsKeywords: (none) => advisory
Tested using radiotray and parole, first without tainted (had to turn off XV in parole), then with the tainted versions. Ok for Mageia 5.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK MGA5-64-OK
Ok on m6. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0014.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0015.html