34356 – gstreamer1.0-plugins-bad new security issue CVE-2025-3887

Bug 34356 - gstreamer1.0-plugins-bad new security issue CVE-2025-3887

Summary: gstreamer1.0-plugins-bad new security issue CVE-2025-3887

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-06-06 16:15 CEST by Nicolas Salguero
Modified:	2025-11-06 02:22 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	gstreamer1.0-plugins-bad-1.22.11-1.mga9.tainted.src.rpm
CVE:	CVE-2025-3887
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-06 16:15:25 CEST

Ubuntu has issued an advisory on June 5:
https://ubuntu.com/security/notices/USN-7558-1

Comment 1 Nicolas Salguero 2025-06-06 16:18:09 CEST

gstreamer1.0-plugins-bad is in "Core" and "Tainted".

Upstream fixes:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5463f0e09768ca90aa8c58357c1f4c645db580db
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bcaab3609805ea10fb3d9ac0c9d947b4c3563948

CVE: (none) => CVE-2025-3887
Source RPM: (none) => gstreamer1.0-plugins-bad
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.26.1 and patches available from upstream

Comment 2 Lewis Smith 2025-06-07 20:45:06 CEST

Cauldron at version 1.26.0.
M9 is 1.22.11.
Assigning directly to DavidG.

Source RPM: gstreamer1.0-plugins-bad => gstreamer1.0-plugins-bad-1.22.11-1.mga9.tainted.src.rpm
Assignee: bugsquad => geiger.david68210

Nicolas Salguero 2025-10-31 11:47:58 CET

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 3 Nicolas Salguero 2025-11-03 14:14:56 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. (CVE-2025-3887)

References:
https://ubuntu.com/security/notices/USN-7558-1
========================

Updated packages in core/updates_testing:
========================
gstreamer1.0-curl-1.22.11-1.1.mga9
gstreamer1.0-dash-1.22.11-1.1.mga9
gstreamer1.0-fluidsynth-1.22.11-1.1.mga9
gstreamer1.0-gme-1.22.11-1.1.mga9
gstreamer1.0-gsm-1.22.11-1.1.mga9
gstreamer1.0-ladspa-1.22.11-1.1.mga9
gstreamer1.0-libass-1.22.11-1.1.mga9
gstreamer1.0-mpeg2enc-1.22.11-1.1.mga9
gstreamer1.0-neon-1.22.11-1.1.mga9
gstreamer1.0-plugins-bad-1.22.11-1.1.mga9
gstreamer1.0-rtmp-1.22.11-1.1.mga9
gstreamer1.0-sbc-1.22.11-1.1.mga9
gstreamer1.0-smoothstreaming-1.22.11-1.1.mga9
gstreamer1.0-soundtouch-1.22.11-1.1.mga9
gstreamer1.0-srtp-1.22.11-1.1.mga9
gstreamer1.0-transcoder-1.22.11-1.1.mga9
gstreamer1.0-wildmidi-1.22.11-1.1.mga9
lib(64)cudagst1.0-1.22.11-1.1.mga9
lib(64)girgstmpegts-gir1.0-1.22.11-1.1.mga9
lib(64)girinsertbin-git1.0-1.22.11-1.1.mga9
lib(64)gstbadaudio-gir1.0-1.22.11-1.1.mga9
lib(64)gstbadaudio1.0_0-1.22.11-1.1.mga9
lib(64)gstbasecamerabinsrc1.0_0-1.22.11-1.1.mga9
lib(64)gstcodecparsers1.0_0-1.22.11-1.1.mga9
lib(64)gstcodecs-gir1.0-1.22.11-1.1.mga9
lib(64)gstcodecs1.0_0-1.22.11-1.1.mga9
lib(64)gstcuda-gir1.0-1.22.11-1.1.mga9
lib(64)gstcuda1.0_0-1.22.11-1.1.mga9
lib(64)gstinsertbin1.0_0-1.22.11-1.1.mga9
lib(64)gstisoff1.0_0-1.22.11-1.1.mga9
lib(64)gstmpegts1.0_0-1.22.11-1.1.mga9
lib(64)gstphotography1.0_0-1.22.11-1.1.mga9
lib(64)gstplay-gir1.0-1.22.11-1.1.mga9
lib(64)gstplay1.0_0-1.22.11-1.1.mga9
lib(64)gstplayer-gir1.0-1.22.11-1.1.mga9
lib(64)gstplayer1.0_0-1.22.11-1.1.mga9
lib(64)gstreamer-plugins-bad1.0-devel-1.22.11-1.1.mga9
lib(64)gstsctp1.0_0-1.22.11-1.1.mga9
lib(64)gsttranscoder-devel-1.22.11-1.1.mga9
lib(64)gsttranscoder-gir1.0-1.22.11-1.1.mga9
lib(64)gsttranscoder1.0_0-1.22.11-1.1.mga9
lib(64)gsturidownloader1.0_0-1.22.11-1.1.mga9
lib(64)gstva-gir1.0-1.22.11-1.1.mga9
lib(64)gstva1.0_0-1.22.11-1.1.mga9
lib(64)gstwayland1.0_0-1.22.11-1.1.mga9
lib(64)gstwebrtc-gir1.0-1.22.11-1.1.mga9
lib(64)gstwebrtc1.0_0-1.22.11-1.1.mga9
lib(64)gstwebrtcnice1.0_0-1.22.11-1.1.mga9

from SRPM:
gstreamer1.0-plugins-bad-1.22.11-1.1.mga9.src.rpm

Updated packages in tainted/updates_testing:
========================
gstreamer1.0-curl-1.22.11-1.1.mga9.tainted
gstreamer1.0-dash-1.22.11-1.1.mga9.tainted
gstreamer1.0-de265-1.22.11-1.1.mga9.tainted
gstreamer1.0-faad-1.22.11-1.1.mga9.tainted
gstreamer1.0-fdkaac-1.22.11-1.1.mga9.tainted
gstreamer1.0-fluidsynth-1.22.11-1.1.mga9.tainted
gstreamer1.0-gme-1.22.11-1.1.mga9.tainted
gstreamer1.0-gsm-1.22.11-1.1.mga9.tainted
gstreamer1.0-ladspa-1.22.11-1.1.mga9.tainted
gstreamer1.0-libass-1.22.11-1.1.mga9.tainted
gstreamer1.0-mpeg2enc-1.22.11-1.1.mga9.tainted
gstreamer1.0-neon-1.22.11-1.1.mga9.tainted
gstreamer1.0-plugins-bad-1.22.11-1.1.mga9.tainted
gstreamer1.0-rtmp-1.22.11-1.1.mga9.tainted
gstreamer1.0-sbc-1.22.11-1.1.mga9.tainted
gstreamer1.0-smoothstreaming-1.22.11-1.1.mga9.tainted
gstreamer1.0-soundtouch-1.22.11-1.1.mga9.tainted
gstreamer1.0-srtp-1.22.11-1.1.mga9.tainted
gstreamer1.0-transcoder-1.22.11-1.1.mga9.tainted
gstreamer1.0-wildmidi-1.22.11-1.1.mga9.tainted
gstreamer1.0-x265-1.22.11-1.1.mga9.tainted
lib(64)cudagst1.0-1.22.11-1.1.mga9.tainted
lib(64)girgstmpegts-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)girinsertbin-git1.0-1.22.11-1.1.mga9.tainted
lib(64)gstbadaudio-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gstbadaudio1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstbasecamerabinsrc1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstcodecparsers1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstcodecs-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gstcodecs1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstcuda-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gstcuda1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstinsertbin1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstisoff1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstmpegts1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstphotography1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstplay-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gstplay1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstplayer-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gstplayer1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstreamer-plugins-bad1.0-devel-1.22.11-1.1.mga9.tainted
lib(64)gstsctp1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gsttranscoder-devel-1.22.11-1.1.mga9.tainted
lib(64)gsttranscoder-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gsttranscoder1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gsturidownloader1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstva-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gstva1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstwayland1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstwebrtc-gir1.0-1.22.11-1.1.mga9.tainted
lib(64)gstwebrtc1.0_0-1.22.11-1.1.mga9.tainted
lib(64)gstwebrtcnice1.0_0-1.22.11-1.1.mga9.tainted

from SRPM:
gstreamer1.0-plugins-bad-1.22.11-1.1.mga9.tainted.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 1.26.1 and patches available from upstream => (none)
Status: NEW => ASSIGNED

katnatek 2025-11-04 00:07:45 CET

Keywords: (none) => advisory

Comment 4 Herman Viaene 2025-11-05 17:02:47 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
Installed first Core updates.
Ref bug 32071, tested by running different video's (avi, mpg, mp4 with parole.All works OK.
Coming back for tainted.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2025-11-05 17:40:11 CET

Installed all tainted, parole plays all as well.
So this should be, as in bug 32071, good to go.

Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2025-11-06 00:12:16 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2025-11-06 02:22:12 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0264.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.