Summary: | <app-misc/gourmet-0.17.4-r2: [sound] uses security vulnerable gstreamer-0.10 | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Mart Raudsepp <leio> | ||||
Component: | Vulnerabilities | Assignee: | Joe Sapp (RETIRED) <nixphoeni> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | Keywords: | STABLEREQ | ||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | C3 [stable] | ||||||
Package list: |
app-misc/gourmet-0.17.4-r2
|
Runtime testing required: | --- | ||||
Bug Depends on: | |||||||
Bug Blocks: | 550648 | ||||||
Attachments: |
|
Description
Mart Raudsepp
2017-02-22 00:33:46 UTC
Thanks for the detailed report. I will ask upstream and see if I can remove the option from existing versions. Created attachment 480098 [details, diff]
gst1.diff
Debian is applying this patch for compat with gstreamer1
Joe: ping (In reply to Pacho Ramos from comment #2) > Created attachment 480098 [details, diff] [details, diff] > gst1.diff > > Debian is applying this patch for compat with gstreamer1 That one looks very wrong. It should be Gst.ElementFactory.make, and 'playbin', not 'playbin2'. I also don't see any Gst.init(None) call anywhere, which I think is needed. (In reply to Pacho Ramos from comment #2) > Created attachment 480098 [details, diff] [details, diff] > gst1.diff > > Debian is applying this patch for compat with gstreamer1 Thanks Pacho. I tried to use the patch but there were problems with importing. I'm modifying the latest upstream and testing it now. I've also removed the old ebuild, so all we have to do is wait ~1 month, stabilize it, and this bug can be closed. My patch is in git now. It seems to work better with pyglet-1.2.4, but I don't think it should hold up stabilizing this package in a month. Maybe once bug #625152 is resolved then the dep can be updated. You don't need to wait a month, but can request earlier at maintainer discretion. I would suggest immediately, but with the pyglet stablereq as a dependency, so it gets done first. This is security relevant. @Arches, please continue stabilization, Thank you. =app-misc/gourmet-0.17.4-r2 Gentoo Security Padaway Daj Uan (jmbailey) x86 stable amd64 stable. Closing. |