599558 – GStreamer 1.10 version bumps

Bug 599558 - GStreamer 1.10 version bumps

Summary: GStreamer 1.10 version bumps

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	GStreamer package maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	606850
	Show dependency tree

Reported:	2016-11-12 07:17 UTC by nilburn
Modified:	2017-02-13 14:12 UTC (History)
CC List:	5 users (show)

See Also:	https://bugzilla.gnome.org/show_bug.cgi?id=778193
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description nilburn 2016-11-12 07:17:47 UTC

New gstreamer version was released at 2016/11/01.

Here are release comments.
https://gstreamer.freedesktop.org/releases/1.10/

Comment 1 Joakim Tjernlund 2017-01-02 21:33:09 UTC

now there is 1.10.2 too

Comment 2 Anton Bolshakov 2017-01-03 01:18:24 UTC

according to the changelog, it were multiple vulnerabilities fixed in this version:

Major bugfixes in 1.10.2

Security-relevant bugfix in the FLI/FLX/FLC decoder (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636)
Various fixes for crashes, assertions and other failures on fuzzed input files. Among others, thanks to Hanno Böck for testing and reporting (CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813).
SAVP/SAVPF profile in gst-rtsp-server works for live streams again, and the correct MIKEY policy message is generated
Further OpenGL related bugfixes
gst-libav was updated to ffmpeg 3.2.1
... and many, many more!

Please increase the priority for this bug.

Comment 3 Mart Raudsepp gentoo-dev

2017-01-03 01:27:21 UTC

Increasing a priority field doesn't affect when it's done, at least for gstreamer@ and probably many others. Well aware this is still pending.
The security bugs need backports to 1.8, we can't just introduce a 1.10 bump and then same day or week stabilize it already imo. Much of the gst-plugins-bad ones were also already done in a 1.8 revbump.
Also none of them have really been demonstrated to do more than cause a segfault really, to my knowledge. The stuff about "unrelated tracker crawler process crashing on hitting a link" was rather bogus - it was designed to be a separate process so that crashes don't hurt anything else.
Sorry it takes time, but that's how it is, and feel free to help out.

Comment 4 Anton Bolshakov 2017-01-04 06:00:59 UTC

(In reply to Mart Raudsepp from comment #3)
> Also none of them have really been demonstrated to do more than cause a
> segfault really, to my knowledge. The stuff about "unrelated tracker crawler
  <skip>
> crashes don't hurt anything else

This is not correct. Any crash can lead to a remote code execution potentially.

The exploit has been demonstrated in this case, see the following URL:
https://scarybeastsecurity.blogspot.sg/2016/11/0day-exploit-advancing-exploitation.html

"This was a fairly ridiculous exploit. But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control."

Comment 5 Mart Raudsepp gentoo-dev

2017-02-13 10:23:41 UTC

All done by now except for gst-omx that I need to look at separately, stabilization ongoing at bug 601354

Comment 6 cJ 2017-02-13 14:12:17 UTC

Thank you Mart.