Bug 30728 - gstreamer1.0-plugins-good new security issues CVE-2022-192[0-5] and CVE-2022-2122
Summary: gstreamer1.0-plugins-good new security issues CVE-2022-192[0-5] and CVE-2022-...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-08-09 17:16 CEST by David Walser
Modified: 2022-09-10 22:28 CEST (History)
6 users (show)

See Also:
Source RPM: gstreamer1.0-plugins-good-1.18.5-1.mga8
Status comment:


Description David Walser 2022-08-09 17:16:22 CEST
Ubuntu has issued an advisory on August 8:

Mageia 8 is also affected.
David Walser 2022-08-09 17:16:36 CEST

CC: (none) => jani.valimaa
Status comment: (none) => Patches available from upstream and Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-08-10 22:00:50 CEST
This is a 'nobody' package, so assigning it globally.
wally has touched it quite a lot for new versions; you are already CC'd.

Assignee: bugsquad => pkg-bugs

Comment 2 Jani Välimaa 2022-08-11 15:36:00 CEST
According to upstream only versions before 1.20.3 are affected. Cauldron is already fixed with gst 1.20.3.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Source RPM: gstreamer1.0-plugins-good-1.20.3-2.mga9.src.rpm => gstreamer1.0-plugins-good-1.18.5-1.mga8

Comment 3 Jani Välimaa 2022-08-11 16:02:58 CEST
Pushed gstreamer1.0-plugins-good-1.18.5-1.1.mga8 to mga8 core/updates_testing with patches from upstream.

GStreamer-SA-2022-0001 (CVE-2022-1921):

GStreamer-SA-2022-0002 (CVE-2022-1922) (CVE-2022-1923) (CVE-2022-1924) (CVE-2022-1925):

GStreamer-SA-2022-0003 (CVE-2022-2122):

GStreamer-SA-2022-0004 (CVE-2022-1920)

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2022-08-12 18:34:00 CEST
Debian has issued an advisory for this on August 9:

Status comment: Patches available from upstream and Ubuntu => (none)

Comment 5 Herman Viaene 2022-08-22 15:02:58 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Trieed all sorts of media with VLC-player, clementine and from newepaper sit in Firefox. All OK. But I have no idea how these would involve this update. If judged sufficient, I'll have no problem that this update would go thru.

CC: (none) => herman.viaene

Comment 6 Guillaume Royer 2022-08-26 17:33:06 CEST

No installation issues.
Tested with VLC on MP3 and AVI files and web radio.
Firefox spotify and Netflix.

Like Herman I don't know if it's sufficient to validated this rpm.

CC: (none) => guillaume.royer

Comment 7 Thomas Andrews 2022-09-08 04:14:06 CEST
Tested in a VirtualBox mga8-64 Plasma guest. 

After reading Comment 5 and Comment 6, I tried "urpmq --whatrequires" and "urpmq --whatrequires-recursive" on this package and got a list, but vlc wasn't on it. So, I must conclude that vlc doesn't use it. 

Some other video players were on it, though: parole, totem, xplayer. I chose parole, as it's described as being based on gstreamer. 

I ran parole, played a few videos, then went after the update using Qarepo. No installation issues. After the update I used parole again to play portions of the videos, with no issues.

Just for good measure, I also installed totem, and played portions of another assortment of videos, also with no issues.

OKing, and validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-09-08 18:56:46 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-09-10 22:28:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.