|Summary:||<media-libs/gst-plugins-base-0.10.23 gst_vorbis_tag_add_coverart base64 decoding memory corruption (CVE-2009-0586)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||craig, gstreamer, hanno|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||266986|
Description Robert Buchholz (RETIRED) 2009-03-07 17:46:46 UTC
Comment 1 Robert Buchholz (RETIRED) 2009-03-07 17:48:50 UTC
Created attachment 184248 [details, diff] gst-plugins-base-0.10.20-CVE-2009-0586.patch upstream provided patch
Comment 2 Robert Buchholz (RETIRED) 2009-03-07 17:50:27 UTC
upstream is going to release a new gstreamer package next thursday. However, it would be preferable to do prestable testing based on the current stable (or a later version) including the patch. Please attach an ebuild to this bug, do not commit anything to CVS!
Comment 3 Robert Buchholz (RETIRED) 2009-03-12 16:32:12 UTC
public: http://www.ocert.org/advisories/ocert-2008-015.html patch: http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583e87147f774e7fc4c78b5f7e61d427e40a9
Comment 4 Robert Buchholz (RETIRED) 2009-03-15 14:28:57 UTC
*** Bug 262552 has been marked as a duplicate of this bug. ***
Comment 5 Olivier Crete (RETIRED) 2009-03-30 04:39:04 UTC
Added gst-plugins-base 0.10.22 ebuild with the patch, if we want it stable, we also want all of its separated plugins as well as gst-plugins-bad 0.10.11 and its separated plugins.
Comment 6 Olivier Crete (RETIRED) 2009-03-30 04:46:31 UTC
Also, having the new -bad means we also need the new -ugly and -good.. So, if we want the new -base stable, we need to make all the latest gst packages stable.
Comment 7 Olivier Crete (RETIRED) 2009-05-16 22:21:09 UTC
Adding the stabilization bug as a dependency
Comment 8 Robert Buchholz (RETIRED) 2009-07-12 17:48:01 UTC