Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 599558

Summary: GStreamer 1.10 version bumps
Product: Gentoo Linux Reporter: nilburn <nilburn+gentoo-bugs>
Component: Current packagesAssignee: GStreamer package maintainers <gstreamer>
Status: RESOLVED FIXED    
Severity: normal CC: cJ-gentoo, cyril.baletaud, joakim.tjernlund, me, rjp421
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.gnome.org/show_bug.cgi?id=778193
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 606850    

Description nilburn 2016-11-12 07:17:47 UTC 
New gstreamer version was released at 2016/11/01.

Here are release comments.
https://gstreamer.freedesktop.org/releases/1.10/
Comment 1 Joakim Tjernlund 2017-01-02 21:33:09 UTC 
now there is 1.10.2 too
Comment 2 Anton Bolshakov 2017-01-03 01:18:24 UTC 
according to the changelog, it were multiple vulnerabilities fixed in this version:

Major bugfixes in 1.10.2

Security-relevant bugfix in the FLI/FLX/FLC decoder (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636)
Various fixes for crashes, assertions and other failures on fuzzed input files. Among others, thanks to Hanno Böck for testing and reporting (CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813).
SAVP/SAVPF profile in gst-rtsp-server works for live streams again, and the correct MIKEY policy message is generated
Further OpenGL related bugfixes
gst-libav was updated to ffmpeg 3.2.1
... and many, many more!

Please increase the priority for this bug.
Comment 3 Mart Raudsepp gentoo-dev 2017-01-03 01:27:21 UTC 
Increasing a priority field doesn't affect when it's done, at least for gstreamer@ and probably many others. Well aware this is still pending.
The security bugs need backports to 1.8, we can't just introduce a 1.10 bump and then same day or week stabilize it already imo. Much of the gst-plugins-bad ones were also already done in a 1.8 revbump.
Also none of them have really been demonstrated to do more than cause a segfault really, to my knowledge. The stuff about "unrelated tracker crawler process crashing on hitting a link" was rather bogus - it was designed to be a separate process so that crashes don't hurt anything else.
Sorry it takes time, but that's how it is, and feel free to help out.
Comment 4 Anton Bolshakov 2017-01-04 06:00:59 UTC 
(In reply to Mart Raudsepp from comment #3)
> Also none of them have really been demonstrated to do more than cause a
> segfault really, to my knowledge. The stuff about "unrelated tracker crawler
  <skip>
> crashes don't hurt anything else

This is not correct. Any crash can lead to a remote code execution potentially.

The exploit has been demonstrated in this case, see the following URL:
https://scarybeastsecurity.blogspot.sg/2016/11/0day-exploit-advancing-exploitation.html

"This was a fairly ridiculous exploit. But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control."
Comment 5 Mart Raudsepp gentoo-dev 2017-02-13 10:23:41 UTC 
All done by now except for gst-omx that I need to look at separately, stabilization ongoing at bug 601354
Comment 6 cJ 2017-02-13 14:12:17 UTC 
Thank you Mart.