4152 – gstreamer0.10-ffmpeg uses internal ffmpeg and is missing security updates

Bug 4152 - gstreamer0.10-ffmpeg uses internal ffmpeg and is missing security updates

Summary: gstreamer0.10-ffmpeg uses internal ffmpeg and is missing security updates

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Shlomi Fish
QA Contact:

URL:
Whiteboard:
Keywords:	validated_update

Depends on:
Blocks:	4146
	Show dependency tree / graph

Reported:	2012-01-16 16:04 CET by David Walser
Modified:	2012-02-11 19:14 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	gstreamer0.10-ffmpeg-0.10.11-3.1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-01-16 16:04:58 CET

gstreamer0.10-ffmpeg was updated in October 2011 along with ffmpeg and mplayer.

It was not updated in January in conjunction with this update:
ffmpeg - Bug 3431
mplayer - Bug 4001
blender - Bug 3983

I don't believe we've issued any updates with these patches from Ubuntu:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54

There is also a newer update needed:
ffmpeg - Bug 4147

David Walser 2012-01-16 16:05:21 CET

Blocks: (none) => 4146

Comment 1 Manuel Hiebel 2012-01-16 16:58:28 CET

Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => shlomif

Manuel Hiebel 2012-01-16 17:02:13 CET

CC: shlomif => (none)
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2012-01-16 20:08:06 CET

I got a report that gstreamer-ffmpeg should also build against the external ffmpeg. Should we do implement this change in Mageia 1 as well?

Regards,

-- Shlomi Fish

Comment 3 David Walser 2012-01-16 21:02:36 CET

(In reply to comment #2)
> I got a report that gstreamer-ffmpeg should also build against the external
> ffmpeg. Should we do implement this change in Mageia 1 as well?
> 
> Regards,
> 
> -- Shlomi Fish

Please implement that change in Cauldron if it hasn't already been done.  As for Mageia 1, I don't think that's the kind of change we are supposed to do with updates.  Admittedly it would be nice, saving us from having to continue to update it in the future when ffmpeg is, but we can save ourselves that headache for Mageia 2 and forward by fixing it in Cauldron.  For Mageia 1 I think we just have to deal with it.

Comment 4 Manuel Hiebel 2012-02-01 11:45:45 CET

Ping ?

Comment 5 Manuel Hiebel 2012-02-05 10:53:49 CET

I saw a package is in testing, it is good to go to the QA ?

Comment 6 Shlomi Fish 2012-02-05 18:11:55 CET

(In reply to comment #5)
> I saw a package is in testing, it is good to go to the QA ?

Yes, it is.

Regards,

-- Shlomi Fish

Comment 7 Manuel Hiebel 2012-02-05 18:23:32 CET

(In reply to comment #6)
> (In reply to comment #5)
> > I saw a package is in testing, it is good to go to the QA ?
> 
> Yes, it is.

Ok thanks, remember the policy :)

There is now gstreamer0.10-ffmpeg-0.10.11-3.2.mga1 in core/updates_testing to validate

Suggested Advisory:
-------------
This update addresses the folloving CVEs:

- CVE-2011-3504 denial of service and possible code execution via
  malformed Matroska file
- CVE-2011-4351 denial of service and possible code execution via
  malformed file containing QDM2 stream
- CVE-2011-4352 denial of service and possible code execution via
  malformed file containing VP3 stream
- CVE-2011-4353 denial of service and possible code execution via
  malformed file containing VP5 or VP6 streams
- CVE-2011-4364 denial of service and possible code execution via
  malformed VMD file
- CVE-2011-4579 denial of service and possible code execution via
  malformed file containing svq1 stream

https://bugs.mageia.org/show_bug.cgi?id=4152
-------------

SRPM: 	gstreamer0.10-ffmpeg-0.10.11-3.2.mga1.src.rpm

Keywords: Triaged => (none)
Assignee: shlomif => qa-bugs

Comment 8 Dave Hodgins 2012-02-05 20:20:45 CET

Testing on i586 complete for the srpm
gstreamer0.10-ffmpeg-0.10.11-3.2.mga1.src.rpm

Tested using arista-gtk to convert a video from flv to theora.

Shouldn't there also be a tainted version for faac etc.?

CC: (none) => davidwhodgins

Comment 9 claire robinson 2012-02-06 15:47:01 CET

Tested, same method x86_64. strace shows it being used.

Tried several different formats.

I agree there should probably be a tainted version if this is using internal ffmpeg, there doesn't appear to be one in Release either.

Comment 10 claire robinson 2012-02-08 17:24:29 CET

Adding Shlomi to CC and pinging him ;)

CC: (none) => shlomif

Comment 11 claire robinson 2012-02-10 18:45:01 CET

Assigning Shlomi. Please reassign to QA when you've had a chance to look at this.

Thanks!

CC: (none) => qa-bugs
Hardware: i586 => All
Assignee: qa-bugs => shlomif

Comment 12 David Walser 2012-02-10 19:18:11 CET

There is nothing in the SPEC for gstreamer0.10-ffmpeg about a tainted version.  That might be something to consider for Cauldron, but it's not going to happen for Mageia 1.  Also note that there isn't a tainted build in /release.  This is ready for QA.

Comment 13 Shlomi Fish 2012-02-10 20:03:18 CET

Which items require my attention? I don't understand what I should do or investigate from the dialogue on this bug report.

Comment 14 Dave Hodgins 2012-02-11 00:01:37 CET

(In reply to comment #13)
> Which items require my attention? I don't understand what I should do or
> investigate from the dialogue on this bug report.

Whether or not there should be a tainted version.

As per Comment 12, I'll go ahead and validate the update.

Could someone from the sysadmin team push the srpm
gstreamer0.10-ffmpeg-0.10.11-3.2.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory: This security update for gstreamer0.10-ffmpeg addresses
 the folloving CVEs:

- CVE-2011-3504 denial of service and possible code execution via
  malformed Matroska file
- CVE-2011-4351 denial of service and possible code execution via
  malformed file containing QDM2 stream
- CVE-2011-4352 denial of service and possible code execution via
  malformed file containing VP3 stream
- CVE-2011-4353 denial of service and possible code execution via
  malformed file containing VP5 or VP6 streams
- CVE-2011-4364 denial of service and possible code execution via
  malformed VMD file
- CVE-2011-4579 denial of service and possible code execution via
  malformed file containing svq1 stream

https://bugs.mageia.org/show_bug.cgi?id=4152

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2012-02-11 19:14:52 CET

update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.