33044 – gstreamer1.0-plugins-{base,good,bad,ugly} new security issues CVE-2024-0444

Bug 33044 - gstreamer1.0-plugins-{base,good,bad,ugly} new security issues CVE-2024-0444

Summary: gstreamer1.0-plugins-{base,good,bad,ugly} new security issues CVE-2024-0444

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK, MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-04-01 22:36 CEST by Giuseppe Ghibò
Modified:	2024-04-10 06:04 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:
CVE:	CVE-2024-0444
Status comment:

Attachments
files list fore core/release (4.62 KB, text/plain) 2024-04-03 13:52 CEST, Giuseppe Ghibò	Details
files list tainted/release (3.24 KB, text/plain) 2024-04-03 13:53 CEST, Giuseppe Ghibò	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Giuseppe Ghibò 2024-04-01 22:36:16 CEST

On the gstreamer security page there is here:

https://gstreamer.freedesktop.org/security/sa-2024-0001.html

a report that for gstreamer < 1.22.9 (mga9 has actually gstreamer 1.22.8) are affected by a security problem [Security Advisory 2024-0001 (ZDI-CAN-22873) (CVE-2024-0444)] in the AV1 codec.

Comment 1 Giuseppe Ghibò 2024-04-01 22:37:57 CEST

I updated the packages to gstreamer-1.22.11 in mga9's updates_testing. Packages are:

        gstreamer1.0
        gstreamer1.0-devtools
        gstreamer1.0-editing-services
        gstreamer1.0-libav
        gstreamer1.0-moodbar
        gstreamer1.0-omx
        gstreamer1.0-plugins-bad
        gstreamer1.0-plugins-base
        gstreamer1.0-plugins-good
        gstreamer1.0-plugins-ugly
        gstreamer1.0-python
        gstreamer1.0-rtsp-server
        gstreamer1.0-vaapi

files list will follow.

Comment 2 Lewis Smith 2024-04-02 20:58:50 CEST

Assigning to you as you are already doing it!
And thank you for your prompt action.

Assignee: bugsquad => ghibomgx

Comment 3 Giuseppe Ghibò 2024-04-03 13:52:52 CEST

Created attachment 14490 [details]
files list fore core/release

Comment 4 Giuseppe Ghibò 2024-04-03 13:53:42 CEST

Created attachment 14491 [details]
files list tainted/release

files list for tainted/release added.

katnatek 2024-04-03 20:23:06 CEST

Component: RPM Packages => Security
QA Contact: (none) => security
CVE: (none) => CVE-2024-0444

Comment 5 katnatek 2024-04-03 20:36:13 CEST

Giussepe can you confirm the list of src.rpms

src:
  9:
    core:
    - gstreamer1.0-1.22.11-1.mga9
    - gstreamer1.0-devtools-1.22.11-1.mga9
    - gstreamer1.0-editing-services-1.22.11-1.mga9
    - gstreamer1.0-libav-1.22.11-1.mga9
    - gstreamer1.0-moodbar-1.3.0-1.mga9
    - gstreamer1.0-omx-1.22.11-1.mga9
    - gstreamer1.0-plugins-bad-1.22.11-1.mga9
    - gstreamer1.0-plugins-base-1.22.11-1.mga9
    - gstreamer1.0-plugins-good-1.22.11-1.mga9
    - gstreamer1.0-plugins-ugly-1.22.11-1.mga9
    - gstreamer1.0-python-1.22.11-1.mga9
    - gstreamer1.0-rtsp-server-1.22.11-1.mga9
    - gstreamer1.0-vaapi-1.22.11-1.mga9
    tainted:
    - gstreamer1.0-plugins-bad-1.22.11-1.mga9
    - gstreamer1.0-plugins-ugly-1.22.11-1.mga9

Keywords: (none) => advisory

katnatek 2024-04-03 20:38:03 CEST

CC: (none) => ghibomgx
Assignee: ghibomgx => qa-bugs

Comment 6 Giuseppe Ghibò 2024-04-04 11:01:32 CEST

(In reply to katnatek from comment #5)

> Giussepe can you confirm the list of src.rpms
> 
> src:
>   9:
>     core:
>     - gstreamer1.0-1.22.11-1.mga9
>     - gstreamer1.0-devtools-1.22.11-1.mga9
>     - gstreamer1.0-editing-services-1.22.11-1.mga9
>     - gstreamer1.0-libav-1.22.11-1.mga9
>     - gstreamer1.0-moodbar-1.3.0-1.mga9
>     - gstreamer1.0-omx-1.22.11-1.mga9
>     - gstreamer1.0-plugins-bad-1.22.11-1.mga9
>     - gstreamer1.0-plugins-base-1.22.11-1.mga9
>     - gstreamer1.0-plugins-good-1.22.11-1.mga9
>     - gstreamer1.0-plugins-ugly-1.22.11-1.mga9
>     - gstreamer1.0-python-1.22.11-1.mga9
>     - gstreamer1.0-rtsp-server-1.22.11-1.mga9
>     - gstreamer1.0-vaapi-1.22.11-1.mga9
>     tainted:
>     - gstreamer1.0-plugins-bad-1.22.11-1.mga9
>     - gstreamer1.0-plugins-ugly-1.22.11-1.mga9

yes.

Comment 7 katnatek 2024-04-04 22:11:53 CEST

RH mageia 9 x86_64

Update first to core version
Play a free format file with gst-play-1.0

Update to tainted version

Play a free format file with gst-play-1.0
Play a nonfree format with gst-play-1.0

OK for me

Comment 8 Thomas Andrews 2024-04-05 01:18:26 CEST

MGA9-64 Plasma in VirtualBox. This particular guest is "untainted," meaning that the tainted repos were never activated. 

The following 42 packages are going to be installed:

- gstreamer1.0-a52dec-1.22.11-1.mga9.x86_64
- gstreamer1.0-cdio-1.22.11-1.mga9.x86_64
- gstreamer1.0-cdparanoia-1.22.11-1.mga9.x86_64
- gstreamer1.0-dv-1.22.11-1.mga9.x86_64
- gstreamer1.0-flac-1.22.11-1.mga9.x86_64
- gstreamer1.0-fluidsynth-1.22.11-1.mga9.x86_64
- gstreamer1.0-gme-1.22.11-1.mga9.x86_64
- gstreamer1.0-gsm-1.22.11-1.mga9.x86_64
- gstreamer1.0-libav-1.22.11-1.mga9.x86_64
- gstreamer1.0-moodbar-1.3.0-1.mga9.x86_64
- gstreamer1.0-mpeg-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-bad-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-base-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-good-1.22.11-1.mga9.x86_64
- gstreamer1.0-plugins-ugly-1.22.11-1.mga9.x86_64
- gstreamer1.0-pulse-1.22.11-1.mga9.x86_64
- gstreamer1.0-rtmp-1.22.11-1.mga9.x86_64
- gstreamer1.0-soup-1.22.11-1.mga9.x86_64
- gstreamer1.0-speex-1.22.11-1.mga9.x86_64
- gstreamer1.0-tools-1.22.11-1.mga9.x86_64
- gstreamer1.0-twolame-1.22.11-1.mga9.x86_64
- gstreamer1.0-vaapi-1.22.11-1.mga9.x86_64
- gstreamer1.0-wavpack-1.22.11-1.mga9.x86_64
- lib64gstbadaudio1.0_0-1.22.11-1.mga9.x86_64
- lib64gstbasecamerabinsrc1.0_0-1.22.11-1.mga9.x86_64
- lib64gstcodecparsers1.0_0-1.22.11-1.mga9.x86_64
- lib64gstcodecs1.0_0-1.22.11-1.mga9.x86_64
- lib64gstcuda1.0_0-1.22.11-1.mga9.x86_64
- lib64gstgl1.0_0-1.22.11-1.mga9.x86_64
- lib64gstmpegts1.0_0-1.22.11-1.mga9.x86_64
- lib64gstphotography1.0_0-1.22.11-1.mga9.x86_64
- lib64gstplay1.0_0-1.22.11-1.mga9.x86_64
- lib64gstplayer1.0_0-1.22.11-1.mga9.x86_64
- lib64gstreamer-plugins-base1.0_0-1.22.11-1.mga9.x86_64
- lib64gstreamer1.0_0-1.22.11-1.mga9.x86_64
- lib64gstsctp1.0_0-1.22.11-1.mga9.x86_64
- lib64gsttranscoder1.0_0-1.22.11-1.mga9.x86_64
- lib64gsturidownloader1.0_0-1.22.11-1.mga9.x86_64
- lib64gstva1.0_0-1.22.11-1.mga9.x86_64
- lib64gstwayland1.0_0-1.22.11-1.mga9.x86_64
- lib64gstwebrtc1.0_0-1.22.11-1.mga9.x86_64
- lib64gstwebrtcnice1.0_0-1.22.11-1.mga9.x86_64

No installation issues. Using Parole, which is based on gstreamer, for testing. 

Comment 0 says the update concerns the AV1 (NOT AVI) codec, so I used Handbrake on the host system to transcode two videos into that codec. Both played normally in Parole, so the core packages appear to be OK.

CC: (none) => andrewsfarm

Comment 9 katnatek 2024-04-06 00:39:10 CEST

RH mageia 9 i586

Update to core packages without issues
Update to tainted packages without issues

Use the video in https://bugs.mageia.org/show_bug.cgi?id=33014#c10

gst-play-1.0 spbtv_sample_bipbop_av1_960x540_25fps.mp4 

Reproduce the video without issues

Comment 10 Herman Viaene 2024-04-08 17:42:08 CEST

gstreamer1.0-1.22.11-1.mga9 not found in the remote repository
gstreamer1.0-rtsp-server-1.22.11-1.mga9 not found in the remote repository
Stil aftereffect from downperiod???

CC: (none) => herman.viaene

Comment 11 katnatek 2024-04-08 18:59:53 CEST

(In reply to Herman Viaene from comment #10)
> gstreamer1.0-1.22.11-1.mga9 not found in the remote repository
> gstreamer1.0-rtsp-server-1.22.11-1.mga9 not found in the remote repository
> Stil aftereffect from downperiod???

lib64gstrtspserver1.0_0-1.22.11-1.mga9
lib64gstrtspserver-gir1.0-1.22.11-1.mga9
gstreamer1.0-rtspclientsink-1.22.11-1.mga9

gstreamer1.0-1.22.11-1.mga9 not exist in the list of packages

Comment 12 Thomas Andrews 2024-04-08 19:51:24 CEST

gstreamer1.0-1.22.11-1 is a source rpm. 

Herman, use one of the lists from the attachments for your tests.

Comment 13 katnatek 2024-04-09 23:44:09 CEST

As I test other gstreamer dependent application https://bugs.mageia.org/show_bug.cgi?id=33077#c3 , I not see why hold this update

Whiteboard: (none) => MGA9-64-OK, MGA9-32-OK

Comment 14 Thomas Andrews 2024-04-10 00:11:43 CEST

I was just thinking the same. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2024-04-10 06:04:55 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0119.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.