Summary: | <media-libs/gst-plugins-{good,base,bad,ugly}-1.10.3: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gstreamer, pachnekrobert |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
media-libs/gstreamer-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-libs/gst-plugins-base-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-opus-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-libvisual-1.10.3 amd64 hppa ppc ppc64 sparc x86
media-plugins/gst-plugins-cdparanoia-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-libs/gst-plugins-good-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-dv-1.10.3 alpha amd64 hppa ppc ppc64 x86
media-plugins/gst-plugins-flac-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-gdkpixbuf-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-jack-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-jpeg-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-libpng-1.10.3 alpha amd64 ppc ppc64 sparc x86
media-plugins/gst-plugins-oss-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-pulse-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-raw1394-1.10.3 amd64 ppc ppc64 x86
media-plugins/gst-plugins-shout2-1.10.3 alpha amd64 ppc ppc64 x86
media-plugins/gst-plugins-soup-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-speex-1.10.3 alpha amd64 hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-taglib-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-v4l2-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-wavpack-1.10.3 alpha amd64 hppa ppc ppc64 x86
media-plugins/gst-plugins-vpx-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 x86
media-plugins/gst-plugins-ximagesrc-1.10.3 amd64 ppc ppc64 x86
media-libs/gst-plugins-ugly-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-a52dec-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-amr-1.10.3 amd64 x86
media-plugins/gst-plugins-cdio-1.10.3 alpha amd64 ppc ppc64 x86
media-plugins/gst-plugins-dvdread-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-lame-1.10.3 alpha amd64 hppa ppc ppc64 sparc x86
media-plugins/gst-plugins-mad-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-mpeg2dec-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-sidplay-1.10.3 alpha amd64 ppc ppc64 sparc x86
media-plugins/gst-plugins-twolame-1.10.3 alpha amd64 ppc ppc64 sparc x86
media-plugins/gst-plugins-x264-1.10.3 alpha amd64 hppa ppc ppc64 sparc x86
media-plugins/gst-plugins-libav-1.10.4 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-libs/gst-plugins-bad-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-vaapi-1.10.3 amd64 x86
media-plugins/gst-plugins-assrender-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-bluez-1.10.3 amd64 x86
media-plugins/gst-plugins-dash-1.10.3 amd64 x86
media-plugins/gst-plugins-dtls-1.10.3 amd64 x86
media-plugins/gst-plugins-dts-1.10.3 amd64 hppa x86
media-plugins/gst-plugins-dvb-1.10.3 alpha amd64 arm ppc ppc64 x86
media-plugins/gst-plugins-faac-1.10.3 alpha amd64 ppc ppc64 x86
media-plugins/gst-plugins-faad-1.10.3 alpha amd64 hppa ia64 ppc ppc64 sparc x86
media-plugins/gst-plugins-hls-1.10.3 amd64 x86
media-plugins/gst-plugins-libde265-1.10.3 amd64 x86
media-plugins/gst-plugins-libmms-1.10.3 alpha amd64 hppa ppc ppc64 sparc x86
media-plugins/gst-plugins-modplug-1.10.3 amd64 hppa ppc ppc64 x86
media-plugins/gst-plugins-mpeg2enc-1.10.3 amd64 x86
media-plugins/gst-plugins-mplex-1.10.3 alpha amd64 hppa x86
media-plugins/gst-plugins-neon-1.10.3 alpha amd64 ppc ppc64 x86
media-plugins/gst-plugins-ofa-1.10.3 amd64 x86
media-plugins/gst-plugins-openh264-1.10.3 amd64 x86
media-plugins/gst-plugins-resindvd-1.10.3 alpha amd64 arm hppa ppc ppc64 sparc x86
media-plugins/gst-plugins-rtmp-1.10.3 amd64 x86
media-plugins/gst-plugins-schroedinger-1.10.3 amd64 x86
media-plugins/gst-plugins-smoothstreaming-1.10.3 amd64 x86
media-plugins/gst-plugins-soundtouch-1.10.3 amd64 x86
media-plugins/gst-plugins-uvch264-1.10.3 amd64 x86
media-plugins/gst-plugins-voaacenc-1.10.3 amd64 x86
media-plugins/gst-plugins-voamrwbenc-1.10.3 amd64 x86
media-plugins/gst-plugins-x265-1.10.3 amd64 x86
dev-python/gst-python-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
media-libs/gstreamer-editing-services-1.10.3 amd64 x86
media-libs/gst-rtsp-server-1.10.3 amd64 x86
media-plugins/gst-plugins-meta-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
|
Runtime testing required: | --- |
Bug Depends on: | 574786, 608868 | ||
Bug Blocks: | 610810, 611736 |
Description
Hanno Böck
2016-12-01 14:41:21 UTC
*** Bug 600506 has been marked as a duplicate of this bug. *** http://seclists.org/oss-sec/2016/q4/517 is actually the CVE-2016-9634, CVE-2016-9635, CVE-2016-9636 stuff. But keeping it on this bug as it'll all be done in one. Adding aliases for the CVEs that were assigned for the mail copy-pasted here. Package fixes will follow soon finally. Adding CVEs for http://www.openwall.com/lists/oss-security/2017/02/01/7 http://www.openwall.com/lists/oss-security/2017/02/02/9 also under here as it's all handled together now. removing cve whiteboard entry because of the new CVEs added here probably needing association in glsamaker? Adding mention of gst-plugins-ugly to summary as at least the added CVE-2017-5847 affects that. Arches, please test and stable the given package list. You will need ffmpeg-3 as well, as gst-plugins-libav-1.10.3 doesn't work against ffmpeg-2.8 anymore and it's too risky to keep it at 1.8.3 while the rest is 1.10 (plus it's known to be broken against ffmpeg-2.8 with missing codecs due to a bug in gst-libav-1.8.3 release). Some of you don't even have keywords for the new version yet, but well, the KEYWORDREQ for that has been open for over a year(!), so yeah, now needs to go stable immediately as well. Removing B2 severity judgment due to 14 new CVEs added to this bug whose severity hasn't been judged yet for GLSA purposes Note that gstreamer 0.10 SLOT is still vulnerable for many or most of this; the intention there is to last rite 0.10 slots, the GLSA(s) should just report vulnerable for 0.10 too (just not slot restricting <1.10.3 I guess) After reviewing added CVEs, rating is still B2. @ Maintainer(s): You changed whiteboard to "stable" and set package list but you did not CC'ed arches. Can we start stabilization or do we have to wait for bug 608868? yes, I assumed I CCed but seem to have forgotten with all the other changes done and was starting to wonder why no-one has stabled yet. Arches, please test and stable the given package list. You will need ffmpeg-3 as well, as gst-plugins-libav-1.10.3 doesn't work against ffmpeg-2.8 anymore and it's too risky to keep it at 1.8.3 while the rest is 1.10 (plus it's known to be broken against ffmpeg-2.8 with missing codecs due to a bug in gst-libav-1.8.3 release). Some of you don't even have keywords for the new version yet, but well, the KEYWORDREQ for that has been open for over a year(!), so yeah, now needs to go stable immediately as well. and yes, we do need to have each architecture do bug 608868 as well, but that's marked as a depends here (gst-plugins-libav-1.10.3 needs it) An automated check of this bug failed - repoman reported dependency errors (109 lines truncated):
> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Removing sanity-check result to have a re-run after package.use.stable.mask'ing USE=unwind commit eedf9851803d65929642aea4b1edc1baaf1668d8 Author: Mart Raudsepp <leio@gentoo.org> Date: Mon Feb 13 15:15:01 2017 +0200 profiles: package.use.stable.mask media-libs/gstreamer unwind Blocking security stabilization, while only used in the leak tracer, which is primarily used for leak testing in upstream jenkins CI runs. arm stable @arm: At least gst-plugins-libav-1.10.3 is not done; 1.8.3 is broken as-is with older ffmpeg-2.8 (missing codec exports at gst side, etc) Adding media-plugins/gst-plugins-meta-1.10.3 to the list to have the metapackage force security fixed versions as well. Some keywords were dropped on that for now due to gst-plugins-libav keywords droppage due to the delayed keywording of ffmpeg-3.2; should straight to stable this as well after doing gst-plugins-libav. amd64 stable You forgot to stable media-plugins/gst-plugins-srtp-1.10.3 (In reply to Joakim Tjernlund from comment #17) > You forgot to stable > media-plugins/gst-plugins-srtp-1.10.3 that has never been in stable yet; if you want it stable, then it's a separate newstable request in a new bug. (In reply to Mart Raudsepp from comment #18) > (In reply to Joakim Tjernlund from comment #17) > > You forgot to stable > > media-plugins/gst-plugins-srtp-1.10.3 > > that has never been in stable yet; if you want it stable, then it's a > separate newstable request in a new bug. New bug in https://bugs.gentoo.org/show_bug.cgi?id=609540 x86 stable Stable for HPPA. ppc64 stable ppc stable Updating gst-plugins-libav target from 1.10.3 to 1.10.4 for security bug 610810, so arches that haven't done it yet, can do it immediately instead. Removing arm@ CC again; the missed gst-plugins-libav got done via bug 610810 and I think nothing else was missed. Stable on alpha. Can not wait on sparc any longer. Arches, Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201705-10 at https://security.gentoo.org/glsa/201705-10 by GLSA coordinator Yury German (BlueKnight). ReOpening for stabilization of ia64 and sparc, please finish stabilization or drop from stable. ia64 stable Due to sparc failing to action this in any reasonable timeline, I have went ahead and dropped all stable sparc keywords on gstreamer things, dropping them to ~sparc for now. If they don't wake up, I may grow a desire to also drop the ~sparc keywords at some point in the future. All keywords were dropped on gst-plugins-libav, as they have also failed to re-keyword ffmpeg-3.2+ and newer gst-plugins-libav. Should sparc ever feel like catching up with this and re-stabilizing things, then there's a bunch of gstreamer package.use.mask and package.use.stable.mask in there now to cleanly remove the keywords without touching stuff I don't maintain - these might get converted to a global use.stable.mask or use.mask for sparc in the future, once 0.10 exits the tree. With this cleanup for gstreamer 1.0 got done as well, albeit some of these vulnerabilities probably affect gstreamer 0.10 things, which are still pending on bug 550648 for cleanup |