On the gstreamer security page there is here: https://gstreamer.freedesktop.org/security/sa-2024-0001.html a report that for gstreamer < 1.22.9 (mga9 has actually gstreamer 1.22.8) are affected by a security problem [Security Advisory 2024-0001 (ZDI-CAN-22873) (CVE-2024-0444)] in the AV1 codec.
I updated the packages to gstreamer-1.22.11 in mga9's updates_testing. Packages are: gstreamer1.0 gstreamer1.0-devtools gstreamer1.0-editing-services gstreamer1.0-libav gstreamer1.0-moodbar gstreamer1.0-omx gstreamer1.0-plugins-bad gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-ugly gstreamer1.0-python gstreamer1.0-rtsp-server gstreamer1.0-vaapi files list will follow.
Assigning to you as you are already doing it! And thank you for your prompt action.
Assignee: bugsquad => ghibomgx
Created attachment 14490 [details] files list fore core/release
Created attachment 14491 [details] files list tainted/release files list for tainted/release added.
Component: RPM Packages => SecurityQA Contact: (none) => securityCVE: (none) => CVE-2024-0444
Giussepe can you confirm the list of src.rpms src: 9: core: - gstreamer1.0-1.22.11-1.mga9 - gstreamer1.0-devtools-1.22.11-1.mga9 - gstreamer1.0-editing-services-1.22.11-1.mga9 - gstreamer1.0-libav-1.22.11-1.mga9 - gstreamer1.0-moodbar-1.3.0-1.mga9 - gstreamer1.0-omx-1.22.11-1.mga9 - gstreamer1.0-plugins-bad-1.22.11-1.mga9 - gstreamer1.0-plugins-base-1.22.11-1.mga9 - gstreamer1.0-plugins-good-1.22.11-1.mga9 - gstreamer1.0-plugins-ugly-1.22.11-1.mga9 - gstreamer1.0-python-1.22.11-1.mga9 - gstreamer1.0-rtsp-server-1.22.11-1.mga9 - gstreamer1.0-vaapi-1.22.11-1.mga9 tainted: - gstreamer1.0-plugins-bad-1.22.11-1.mga9 - gstreamer1.0-plugins-ugly-1.22.11-1.mga9
Keywords: (none) => advisory
CC: (none) => ghibomgxAssignee: ghibomgx => qa-bugs
(In reply to katnatek from comment #5) > Giussepe can you confirm the list of src.rpms > > src: > 9: > core: > - gstreamer1.0-1.22.11-1.mga9 > - gstreamer1.0-devtools-1.22.11-1.mga9 > - gstreamer1.0-editing-services-1.22.11-1.mga9 > - gstreamer1.0-libav-1.22.11-1.mga9 > - gstreamer1.0-moodbar-1.3.0-1.mga9 > - gstreamer1.0-omx-1.22.11-1.mga9 > - gstreamer1.0-plugins-bad-1.22.11-1.mga9 > - gstreamer1.0-plugins-base-1.22.11-1.mga9 > - gstreamer1.0-plugins-good-1.22.11-1.mga9 > - gstreamer1.0-plugins-ugly-1.22.11-1.mga9 > - gstreamer1.0-python-1.22.11-1.mga9 > - gstreamer1.0-rtsp-server-1.22.11-1.mga9 > - gstreamer1.0-vaapi-1.22.11-1.mga9 > tainted: > - gstreamer1.0-plugins-bad-1.22.11-1.mga9 > - gstreamer1.0-plugins-ugly-1.22.11-1.mga9 yes.
RH mageia 9 x86_64 Update first to core version Play a free format file with gst-play-1.0 Update to tainted version Play a free format file with gst-play-1.0 Play a nonfree format with gst-play-1.0 OK for me
MGA9-64 Plasma in VirtualBox. This particular guest is "untainted," meaning that the tainted repos were never activated. The following 42 packages are going to be installed: - gstreamer1.0-a52dec-1.22.11-1.mga9.x86_64 - gstreamer1.0-cdio-1.22.11-1.mga9.x86_64 - gstreamer1.0-cdparanoia-1.22.11-1.mga9.x86_64 - gstreamer1.0-dv-1.22.11-1.mga9.x86_64 - gstreamer1.0-flac-1.22.11-1.mga9.x86_64 - gstreamer1.0-fluidsynth-1.22.11-1.mga9.x86_64 - gstreamer1.0-gme-1.22.11-1.mga9.x86_64 - gstreamer1.0-gsm-1.22.11-1.mga9.x86_64 - gstreamer1.0-libav-1.22.11-1.mga9.x86_64 - gstreamer1.0-moodbar-1.3.0-1.mga9.x86_64 - gstreamer1.0-mpeg-1.22.11-1.mga9.x86_64 - gstreamer1.0-plugins-bad-1.22.11-1.mga9.x86_64 - gstreamer1.0-plugins-base-1.22.11-1.mga9.x86_64 - gstreamer1.0-plugins-good-1.22.11-1.mga9.x86_64 - gstreamer1.0-plugins-ugly-1.22.11-1.mga9.x86_64 - gstreamer1.0-pulse-1.22.11-1.mga9.x86_64 - gstreamer1.0-rtmp-1.22.11-1.mga9.x86_64 - gstreamer1.0-soup-1.22.11-1.mga9.x86_64 - gstreamer1.0-speex-1.22.11-1.mga9.x86_64 - gstreamer1.0-tools-1.22.11-1.mga9.x86_64 - gstreamer1.0-twolame-1.22.11-1.mga9.x86_64 - gstreamer1.0-vaapi-1.22.11-1.mga9.x86_64 - gstreamer1.0-wavpack-1.22.11-1.mga9.x86_64 - lib64gstbadaudio1.0_0-1.22.11-1.mga9.x86_64 - lib64gstbasecamerabinsrc1.0_0-1.22.11-1.mga9.x86_64 - lib64gstcodecparsers1.0_0-1.22.11-1.mga9.x86_64 - lib64gstcodecs1.0_0-1.22.11-1.mga9.x86_64 - lib64gstcuda1.0_0-1.22.11-1.mga9.x86_64 - lib64gstgl1.0_0-1.22.11-1.mga9.x86_64 - lib64gstmpegts1.0_0-1.22.11-1.mga9.x86_64 - lib64gstphotography1.0_0-1.22.11-1.mga9.x86_64 - lib64gstplay1.0_0-1.22.11-1.mga9.x86_64 - lib64gstplayer1.0_0-1.22.11-1.mga9.x86_64 - lib64gstreamer-plugins-base1.0_0-1.22.11-1.mga9.x86_64 - lib64gstreamer1.0_0-1.22.11-1.mga9.x86_64 - lib64gstsctp1.0_0-1.22.11-1.mga9.x86_64 - lib64gsttranscoder1.0_0-1.22.11-1.mga9.x86_64 - lib64gsturidownloader1.0_0-1.22.11-1.mga9.x86_64 - lib64gstva1.0_0-1.22.11-1.mga9.x86_64 - lib64gstwayland1.0_0-1.22.11-1.mga9.x86_64 - lib64gstwebrtc1.0_0-1.22.11-1.mga9.x86_64 - lib64gstwebrtcnice1.0_0-1.22.11-1.mga9.x86_64 No installation issues. Using Parole, which is based on gstreamer, for testing. Comment 0 says the update concerns the AV1 (NOT AVI) codec, so I used Handbrake on the host system to transcode two videos into that codec. Both played normally in Parole, so the core packages appear to be OK.
CC: (none) => andrewsfarm
RH mageia 9 i586 Update to core packages without issues Update to tainted packages without issues Use the video in https://bugs.mageia.org/show_bug.cgi?id=33014#c10 gst-play-1.0 spbtv_sample_bipbop_av1_960x540_25fps.mp4 Reproduce the video without issues
gstreamer1.0-1.22.11-1.mga9 not found in the remote repository gstreamer1.0-rtsp-server-1.22.11-1.mga9 not found in the remote repository Stil aftereffect from downperiod???
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #10) > gstreamer1.0-1.22.11-1.mga9 not found in the remote repository > gstreamer1.0-rtsp-server-1.22.11-1.mga9 not found in the remote repository > Stil aftereffect from downperiod??? lib64gstrtspserver1.0_0-1.22.11-1.mga9 lib64gstrtspserver-gir1.0-1.22.11-1.mga9 gstreamer1.0-rtspclientsink-1.22.11-1.mga9 gstreamer1.0-1.22.11-1.mga9 not exist in the list of packages
gstreamer1.0-1.22.11-1 is a source rpm. Herman, use one of the lists from the attachments for your tests.
As I test other gstreamer dependent application https://bugs.mageia.org/show_bug.cgi?id=33077#c3 , I not see why hold this update
Whiteboard: (none) => MGA9-64-OK, MGA9-32-OK
I was just thinking the same. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0119.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED