gstreamer0.10-ffmpeg was updated in October 2011 along with ffmpeg and mplayer. It was not updated in January in conjunction with this update: ffmpeg - Bug 3431 mplayer - Bug 4001 blender - Bug 3983 I don't believe we've issued any updates with these patches from Ubuntu: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/maverick/ffmpeg/maverick-security/revision/54 There is also a newer update needed: ffmpeg - Bug 4147
Blocks: (none) => 4146
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedCC: (none) => shlomif
CC: shlomif => (none)Assignee: bugsquad => shlomif
I got a report that gstreamer-ffmpeg should also build against the external ffmpeg. Should we do implement this change in Mageia 1 as well? Regards, -- Shlomi Fish
(In reply to comment #2) > I got a report that gstreamer-ffmpeg should also build against the external > ffmpeg. Should we do implement this change in Mageia 1 as well? > > Regards, > > -- Shlomi Fish Please implement that change in Cauldron if it hasn't already been done. As for Mageia 1, I don't think that's the kind of change we are supposed to do with updates. Admittedly it would be nice, saving us from having to continue to update it in the future when ffmpeg is, but we can save ourselves that headache for Mageia 2 and forward by fixing it in Cauldron. For Mageia 1 I think we just have to deal with it.
Ping ?
I saw a package is in testing, it is good to go to the QA ?
(In reply to comment #5) > I saw a package is in testing, it is good to go to the QA ? Yes, it is. Regards, -- Shlomi Fish
(In reply to comment #6) > (In reply to comment #5) > > I saw a package is in testing, it is good to go to the QA ? > > Yes, it is. Ok thanks, remember the policy :) There is now gstreamer0.10-ffmpeg-0.10.11-3.2.mga1 in core/updates_testing to validate Suggested Advisory: ------------- This update addresses the folloving CVEs: - CVE-2011-3504 denial of service and possible code execution via malformed Matroska file - CVE-2011-4351 denial of service and possible code execution via malformed file containing QDM2 stream - CVE-2011-4352 denial of service and possible code execution via malformed file containing VP3 stream - CVE-2011-4353 denial of service and possible code execution via malformed file containing VP5 or VP6 streams - CVE-2011-4364 denial of service and possible code execution via malformed VMD file - CVE-2011-4579 denial of service and possible code execution via malformed file containing svq1 stream https://bugs.mageia.org/show_bug.cgi?id=4152 ------------- SRPM: gstreamer0.10-ffmpeg-0.10.11-3.2.mga1.src.rpm
Keywords: Triaged => (none)Assignee: shlomif => qa-bugs
Testing on i586 complete for the srpm gstreamer0.10-ffmpeg-0.10.11-3.2.mga1.src.rpm Tested using arista-gtk to convert a video from flv to theora. Shouldn't there also be a tainted version for faac etc.?
CC: (none) => davidwhodgins
Tested, same method x86_64. strace shows it being used. Tried several different formats. I agree there should probably be a tainted version if this is using internal ffmpeg, there doesn't appear to be one in Release either.
Adding Shlomi to CC and pinging him ;)
CC: (none) => shlomif
Assigning Shlomi. Please reassign to QA when you've had a chance to look at this. Thanks!
CC: (none) => qa-bugsHardware: i586 => AllAssignee: qa-bugs => shlomif
There is nothing in the SPEC for gstreamer0.10-ffmpeg about a tainted version. That might be something to consider for Cauldron, but it's not going to happen for Mageia 1. Also note that there isn't a tainted build in /release. This is ready for QA.
Which items require my attention? I don't understand what I should do or investigate from the dialogue on this bug report.
(In reply to comment #13) > Which items require my attention? I don't understand what I should do or > investigate from the dialogue on this bug report. Whether or not there should be a tainted version. As per Comment 12, I'll go ahead and validate the update. Could someone from the sysadmin team push the srpm gstreamer0.10-ffmpeg-0.10.11-3.2.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: This security update for gstreamer0.10-ffmpeg addresses the folloving CVEs: - CVE-2011-3504 denial of service and possible code execution via malformed Matroska file - CVE-2011-4351 denial of service and possible code execution via malformed file containing QDM2 stream - CVE-2011-4352 denial of service and possible code execution via malformed file containing VP3 stream - CVE-2011-4353 denial of service and possible code execution via malformed file containing VP5 or VP6 streams - CVE-2011-4364 denial of service and possible code execution via malformed VMD file - CVE-2011-4579 denial of service and possible code execution via malformed file containing svq1 stream https://bugs.mageia.org/show_bug.cgi?id=4152
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED