Summary: | <media-plugins/gst-plugins-libav-1.10.4: Vulnerable to CVE-2017-{5024,5025} due to bundled ffmpeg-3.2.2 | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mart Raudsepp <leio> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gstreamer |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: |
=media-plugins/gst-plugins-libav-1.10.4
|
Runtime testing required: | --- |
Bug Depends on: | 601354, 608868 | ||
Bug Blocks: |
Description
Mart Raudsepp
![]() Hello arches, please stabilize media-video/gst-plugins-libav-1.10.4 as it bundled ffmpeg code, which is used with USE=libav. This bundled code received update from ffmpeg-3.2.2 to ffmpeg-3.2.4 for security fixes as also done for system ffmpeg in bug 608868. I have light tested it to work fine together with rest of gst 1.10.3 and checked the changes to only include this bundling update and an irrelevant configure change, so this security stabilization doesn't necessitate stabling of the rest of gst1.10.4 - 1.10.3 is sufficient as stabilized in bug 601354. An automated check of this bug failed - repoman reported dependency errors (57 lines truncated):
> dependency.bad media-plugins/gst-plugins-libav/gst-plugins-libav-1.10.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-video/ffmpeg-3.2.4:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-plugins/gst-plugins-libav/gst-plugins-libav-1.10.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-video/ffmpeg-3.2.4:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-plugins/gst-plugins-libav/gst-plugins-libav-1.10.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-video/ffmpeg-3.2.4:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
apparently stablebot isn't grokking dep bug of dep bug.. An automated check of this bug succeeded - the previous repoman errors are now resolved. amd64 stable x86 stable arm stable Stable for HPPA PPC64. ppc stable. Stable on alpha. Arches, Thank you for your work. Added to an existing GLSA Request. Can not wait on sparc. Will write and release without stable spare. This issue was resolved and addressed in GLSA 201705-05 at https://security.gentoo.org/glsa/201705-05 by GLSA coordinator Kristian Fiskerstrand (K_F). Re-Opening for SPARC and IA64 ia64 got done with the rest on bug 601354 (where I updated the target to keep things in batch for the slow ones) I've removed all sparc keywords from gst-plugins-libav due to no responses. I've also cleaned up all older versions than 1.10.4 now thanks to that. There's already 1.10.5 getting stabilized as well, but some arches are being slow there, but that's a concern for some other bug. Though we don't have other bugs about gst-plugins-libav bundling vulnerable ffmpeg, that gets used with USE=libav, and I'm pretty sure 1.10.5 doesn't have a new enough one... |