28685 – gstreamer1.0-plugins-good (CVE-2021-349[78]), gstreamer1.0-plugins-ugly, gstreamer1.0-libav new security issues fixed upstream in 1.18.4

Bug 28685 - gstreamer1.0-plugins-good (CVE-2021-349[78]), gstreamer1.0-plugins-ugly, gstreamer1.0-libav new security issues fixed upstream in 1.18.4

Summary: gstreamer1.0-plugins-good (CVE-2021-349[78]), gstreamer1.0-plugins-ugly, gstr...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-03-31 00:29 CEST by David Walser
Modified:	2021-05-28 00:05 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	gstreamer1.0-plugins-good-1.18.3-1.mga8.src.rpm, gstreamer1.0-plugins-ugly-1.18.3-1.mga8.src.rpm, gstreamer1.0-libav-1.18.3-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-03-31 00:29:54 CEST

Gstreamer has issued advisories on March 15:
https://gstreamer.freedesktop.org/security/sa-2021-0002.html
https://gstreamer.freedesktop.org/security/sa-2021-0003.html
https://gstreamer.freedesktop.org/security/sa-2021-0004.html
https://gstreamer.freedesktop.org/security/sa-2021-0005.html

The issues are fixed upstream in 1.18.4:
https://gstreamer.freedesktop.org/releases/1.18/#1.18.4

Mageia 7 is also affected.

David Walser 2021-03-31 00:30:04 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2021-04-02 13:07:34 CEST

Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => pkg-bugs
CC: (none) => jani.valimaa, ouaurelien

Comment 2 Jani Välimaa 2021-04-07 21:35:00 CEST

Patched mga8 pkgs are available for tests in core/updates_testing:
gstreamer1.0-plugins-good-1.18.3-1.2.mga8
gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8
gstreamer1.0-libav-1.18.3-1.1.mga8

And in tainted/updates_testing:
gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8

Comment 3 David Walser 2021-04-08 03:32:00 CEST

Comment 2 was SRPMS, here are RPMs.  Mageia 7 still pending.

Core:
gstreamer1.0-plugins-good-1.18.3-1.2.mga8
gstreamer1.0-pulse-1.18.3-1.2.mga8
gstreamer1.0-vp8-1.18.3-1.2.mga8
gstreamer1.0-soup-1.18.3-1.2.mga8
gstreamer1.0-flac-1.18.3-1.2.mga8
gstreamer1.0-dv-1.18.3-1.2.mga8
gstreamer1.0-jack-1.18.3-1.2.mga8
gstreamer1.0-raw1394-1.18.3-1.2.mga8
gstreamer1.0-speex-1.18.3-1.2.mga8
gstreamer1.0-wavpack-1.18.3-1.2.mga8
gstreamer1.0-aalib-1.18.3-1.2.mga8
gstreamer1.0-twolame-1.18.3-1.2.mga8
gstreamer1.0-lame-1.18.3-1.2.mga8
gstreamer1.0-caca-1.18.3-1.2.mga8
gstreamer1.0-libav-1.18.3-1.1.mga8

Core and Tainted:
gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8
gstreamer1.0-sid-1.18.3-1.1.mga8
gstreamer1.0-mpeg-1.18.3-1.1.mga8
gstreamer1.0-a52dec-1.18.3-1.1.mga8
gstreamer1.0-cdio-1.18.3-1.1.mga8

Comment 4 Jani Välimaa 2021-04-08 19:17:31 CEST

Mageia 7 pkgs.

Core:
gstreamer1.0-plugins-good-1.16.0-1.1.mga7
gstreamer1.0-jack-1.16.0-1.1.mga7
gstreamer1.0-soup-1.16.0-1.1.mga7
gstreamer1.0-pulse-1.16.0-1.1.mga7
gstreamer1.0-dv-1.16.0-1.1.mga7
gstreamer1.0-speex-1.16.0-1.1.mga7
gstreamer1.0-raw1394-1.16.0-1.1.mga7
gstreamer1.0-flac-1.16.0-1.1.mga7
gstreamer1.0-aalib-1.16.0-1.1.mga7
gstreamer1.0-caca-1.16.0-1.1.mga7
gstreamer1.0-vp8-1.16.0-1.1.mga7
gstreamer1.0-wavpack-1.16.0-1.1.mga7
gstreamer1.0-lame-1.16.0-1.1.mga7
gstreamer1.0-twolame-1.16.0-1.1.mga7
gstreamer1.0-libav-1.16.0-1.1.mga7

Core and Tainted:
gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7
gstreamer1.0-sid-1.16.0-1.1.mga7
gstreamer1.0-a52dec-1.16.0-1.1.mga7
gstreamer1.0-mpeg-1.16.0-1.1.mga7
gstreamer1.0-cdio-1.16.0-1.1.mga7

David Walser 2021-04-10 01:16:36 CEST

Assignee: pkg-bugs => qa-bugs

Comment 5 Guillaume Royer 2021-04-14 14:14:02 CEST

MGA 7 VM Gnome

Updated with QA repo.
No issues at installation.

Listen webradio "La Grosse Radio" with VLC OK

CC: (none) => guillaume.royer

Comment 6 Guillaume Royer 2021-04-14 17:50:49 CEST

MGA 8 Xfce

Updated with QA repo.
No issues at installation.

Listen webradio "La Grosse Radio" and MP3 with "Parole" OK

Comment 7 Aurelien Oudelet 2021-04-15 17:03:09 CEST

Updating to latest gstreamer RPMs, core and tainted.

Firefox plays .mp3 and all medias OK.
Note that Plasma/DE seems to use gstreamer as backend for phonon, the multimedia system.

$ rpm -qa | grep phonon
lib64phonon4qt5_4-4.11.1-2.mga8
lib64phonon4qt5experimental4-4.11.1-2.mga8
phonon4qt5-gstreamer-4.10.0-2.mga8
phonon4qt5-4.11.1-2.mga8
phonon-gstreamer-common-4.10.0-2.mga8

As long as multimedia is OK on all my Plasma app,

Give this an OK.

Comment 8 Aurelien Oudelet 2021-04-15 17:23:41 CEST

Advisory:
========================

Updated gstreamer packages fix security vulnerabilities:

GStreamer before 1.18.4 might access already-freed memory in error code
paths when demuxing certain malformed Matroska files (SA-2021-0002).

GStreamer before 1.18.4 might cause heap corruption when parsing certain
malformed Matroska files (SA-2021-0003).

GStreamer before 1.18.4 might do an out-of-bounds read when handling
certain RealMedia files or streams (SA-2021-0004).

GStreamer before 1.18.4 might cause stack corruptions with streams that
have more than 64 audio channels (SA-2021-0005).

It might be possible for a malicious third party to trigger a crash in
the application, but possibly also an arbitrary code execution with the
privileges of the target user.

References:
https://gstreamer.freedesktop.org/security/sa-2021-0002.html
https://gstreamer.freedesktop.org/security/sa-2021-0003.html
https://gstreamer.freedesktop.org/security/sa-2021-0004.html
https://gstreamer.freedesktop.org/security/sa-2021-0005.html
https://gstreamer.freedesktop.org/releases/1.18/#1.18.4
========================

Updated packages from 7/core/updates_testing
========================
gstreamer1.0-a52dec-1.16.0-1.1.mga7
gstreamer1.0-aalib-1.16.0-1.1.mga7
gstreamer1.0-caca-1.16.0-1.1.mga7
gstreamer1.0-cdio-1.16.0-1.1.mga7
gstreamer1.0-dv-1.16.0-1.1.mga7
gstreamer1.0-flac-1.16.0-1.1.mga7
gstreamer1.0-jack-1.16.0-1.1.mga7
gstreamer1.0-lame-1.16.0-1.1.mga7
gstreamer1.0-libav-1.16.0-1.1.mga7
gstreamer1.0-mpeg-1.16.0-1.1.mga7
gstreamer1.0-plugins-good-1.16.0-1.1.mga7
gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7
gstreamer1.0-pulse-1.16.0-1.1.mga7
gstreamer1.0-raw1394-1.16.0-1.1.mga7
gstreamer1.0-sid-1.16.0-1.1.mga7
gstreamer1.0-soup-1.16.0-1.1.mga7
gstreamer1.0-speex-1.16.0-1.1.mga7
gstreamer1.0-twolame-1.16.0-1.1.mga7
gstreamer1.0-vp8-1.16.0-1.1.mga7
gstreamer1.0-wavpack-1.16.0-1.1.mga7

from SRPM
========================
gstreamer1.0-libav-1.16.0-1.1.mga7
gstreamer1.0-plugins-good-1.16.0-1.1.mga7
gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7

Updated packages from 7/tainted/updates_testing
========================
gstreamer1.0-a52dec-1.16.0-1.1.mga7.tainted
gstreamer1.0-amrnb-1.16.0-1.1.mga7.tainted
gstreamer1.0-amrwbdec-1.16.0-1.1.mga7.tainted
gstreamer1.0-cdio-1.16.0-1.1.mga7.tainted
gstreamer1.0-mpeg-1.16.0-1.1.mga7.tainted
gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7.tainted
gstreamer1.0-sid-1.16.0-1.1.mga7.tainted
gstreamer1.0-x264-1.16.0-1.1.mga7.tainted

from SRPM
========================
gstreamer1.0-plugins-ugly-1.16.0-1.1.mga7.tainted

Updated packages from 8/core/updates_testing
========================
gstreamer1.0-a52dec-1.18.3-1.1.mga8
gstreamer1.0-aalib-1.18.3-1.2.mga8
gstreamer1.0-caca-1.18.3-1.2.mga8
gstreamer1.0-cdio-1.18.3-1.1.mga8
gstreamer1.0-dv-1.18.3-1.2.mga8
gstreamer1.0-flac-1.18.3-1.2.mga8
gstreamer1.0-jack-1.18.3-1.2.mga8
gstreamer1.0-lame-1.18.3-1.2.mga8
gstreamer1.0-libav-1.18.3-1.1.mga8
gstreamer1.0-mpeg-1.18.3-1.1.mga8
gstreamer1.0-plugins-good-1.18.3-1.2.mga8
gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8
gstreamer1.0-pulse-1.18.3-1.2.mga8
gstreamer1.0-raw1394-1.18.3-1.2.mga8
gstreamer1.0-sid-1.18.3-1.1.mga8
gstreamer1.0-soup-1.18.3-1.2.mga8
gstreamer1.0-speex-1.18.3-1.2.mga8
gstreamer1.0-twolame-1.18.3-1.2.mga8
gstreamer1.0-vp8-1.18.3-1.2.mga8
gstreamer1.0-wavpack-1.18.3-1.2.mga8

from SRPM
========================
gstreamer1.0-libav-1.18.3-1.1.mga8
gstreamer1.0-plugins-good-1.18.3-1.2.mga8
gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8


Updated packages from 8/tainted/updates_testing
========================
gstreamer1.0-a52dec-1.18.3-1.1.mga8.tainted
gstreamer1.0-amrnb-1.18.3-1.1.mga8.tainted
gstreamer1.0-amrwbdec-1.18.3-1.1.mga8.tainted
gstreamer1.0-cdio-1.18.3-1.1.mga8.tainted
gstreamer1.0-mpeg-1.18.3-1.1.mga8.tainted
gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8.tainted
gstreamer1.0-sid-1.18.3-1.1.mga8.tainted
gstreamer1.0-x264-1.18.3-1.1.mga8.tainted

from SRPM
========================
gstreamer1.0-plugins-ugly-1.18.3-1.1.mga8.tainted

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 9 Mageia Robot 2021-04-15 21:06:19 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0187.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2021-05-28 00:05:24 CEST

CVE-2021-3497, CVE-2021-3498 were assigned for gstreamer1.0-plugins-good:
https://www.debian.org/security/2021/dsa-4900

Summary: gstreamer1.0-plugins-good, gstreamer1.0-plugins-ugly, gstreamer1.0-libav new security issues fixed upstream in 1.18.4 => gstreamer1.0-plugins-good (CVE-2021-349[78]), gstreamer1.0-plugins-ugly, gstreamer1.0-libav new security issues fixed upstream in 1.18.4

Note You need to log in before you can comment on or make changes to this bug.