Summary: | <media-plugins/gst-plugins-ffmpeg-0.10.5 FFmpeg psxstr.c Buffer overflow (CVE-2008-3162) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | gnome, gstreamer, loki_val | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 231831, 245291 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2008-07-15 03:21:11 UTC
Created attachment 160413 [details, diff]
gst-plugins-ffmpeg-0.10.1-r1-CVE-2008-3162.patch
(In reply to comment #0) > media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that > statically. Is it generally possible to have it link to a system-provided > version? That is not supported by upstream. (In reply to comment #2) > (In reply to comment #0) > > media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that > > statically. Is it generally possible to have it link to a system-provided > > version? > > That is not supported by upstream. In this case we need to rebase their ffmpeg or patch this issue (you can find a patch in comment 1). Why not just use a more recent version of gst-ffmpeg ? 0.10.6 ships with r15750 0.10.5 ships with r15004 Any version above (and including) 0.10.5 has this issue fixed. Please CC archteams and fix status whiteboard as needed.. not sure if I got it right. Archteams don't seem to realize they are not handling several bugs.. ppc stable Sparc stable --- forgot to note it on the bug. Security: All archteams are done, and old versions have been removed from tree. GLSA 200903-33 |