Bug 119512 - media-plugins/gst-plugins-ffmpeg is affected by CVE-2005-4048
Bug#: 119512 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Vulnerabilities
URL: 
Summary: media-plugins/gst-plugins-ffmpeg is affected by CVE-2005-4048
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2006-01-19 01:05 0000
Description:   Opened: 2006-01-19 01:05 0000 
From joem: the patched ebuilds are 0.8.7-r1 and 0.10.0-r1
Can we call for stable on 0.8.7-r1 or is it not ready for prime-time ?

------- Comment #1 From Thierry Carrez (RETIRED) 2006-01-19 01:06:27 0000 ------- 
setting status whiteboard

------- Comment #2 From Joe McCann (RETIRED) 2006-01-19 09:25:22 0000 ------- 
the 0.10 branch is still in package.maask so that shouldn't be an issue.
0.8.7-r1 can be marked stable.

------- Comment #3 From Stefan Cornelius (RETIRED) 2006-01-19 12:37:22 0000 ------- 
ok, lets go for it: arches please test and mark stable

------- Comment #4 From Simon Stelling (RETIRED) 2006-01-19 13:14:27 0000 ------- 
Created an attachment (id=77575) [details]
config.log

checking for pkg-config... /usr/bin/pkg-config
checking for gstreamer-0.8 >= 0.8.4                    gstreamer-libs-0.8...
configure: error: no GStreamer found

!!! Please attach the config.log to your bug report:
!!!
/var/tmp/portage/gst-plugins-ffmpeg-0.8.7-r1/work/gst-ffmpeg-0.8.7/config.log

!!! ERROR: media-plugins/gst-plugins-ffmpeg-0.8.7-r1 failed.
!!! Function econf, Line 495, Exitcode 0
!!! econf failed

note that gstreamer-0.8.10 is installed and
/usr/lib64/pkgconfig/gstreamer-0.8.pc is in place and looks sane

------- Comment #5 From Gustavo Zacarias (RETIRED) 2006-01-20 12:24:59 0000 ------- 
Didn't hit the build issue, but then i'm on gstreamer & co version 0.8.11.
As a precaution and looking into doing bug #119634 i'm bumping all of
gst-0.8.11 to stable too. Remember to bump all of the gst-plugins you have
stable too or you'll get up/downgrade cycles.
Also had to adjust totem DEPs since they locked down to (
=gst-plugins-ffmpeg-0.8.6 || =gst-plugins-ffmpeg-0.8.7 ) (changed to ~)
sparc done.

------- Comment #6 From Joshua Jackson 2006-01-20 15:13:08 0000 ------- 
Stable on x86

------- Comment #7 From Markus Rothe 2006-01-20 23:41:59 0000 ------- 
stable on ppc64

------- Comment #8 From René Nussbaumer 2006-01-21 04:02:39 0000 ------- 
Stable on hppa

------- Comment #9 From Simon Stelling (RETIRED) 2006-01-21 05:32:30 0000 ------- 
nevermind, it turned out i must have done something not-so-intelligent in my
pkgconfig dir, remerging gst-plugins did fix it

amd64 stable

------- Comment #10 From Tobias Scherbaum 2006-01-21 07:16:54 0000 ------- 
Stabled on ppc by hansmi.

------- Comment #11 From Bryan Østergaard (RETIRED) 2006-01-29 13:48:15 0000 ------- 
Stable on alpha + ia64.

------- Comment #12 From Wolf Giesen (RETIRED) 2006-01-31 01:07:52 0000 ------- 
To properly understand this:

As I understand it, the bug is in libavcodec, so it should be in
media-video/ffmpeg, too, right?

Is gst-plugins-ffmpeg a wrapper to go with ffmpeg or does it contain its own
version of the library?

------- Comment #13 From Saleem Abdulrasool (RETIRED) 2006-02-03 13:53:41 0000 ------- 
gst-plugins-0.8.7-r1 is stable on all arches.  Marking as fixed.

------- Comment #14 From Stefan Cornelius (RETIRED) 2006-02-03 14:03:08 0000 ------- 
Sorry, reopening the bug as security needs to send the GLSA first (draft is
finished and approved, will be done soon).

------- Comment #15 From Stefan Cornelius (RETIRED) 2006-02-05 11:31:53 0000 ------- 
GLSA 200602-01

Thanks everybody.