Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610436 - <app-misc/gourmet-0.17.4-r2: [sound] uses security vulnerable gstreamer-0.10
Summary: <app-misc/gourmet-0.17.4-r2: [sound] uses security vulnerable gstreamer-0.10
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Joe Sapp (RETIRED)
Whiteboard: C3 [stable]
Depends on:
Blocks: gst-0.10-removal
  Show dependency tree
Reported: 2017-02-22 00:33 UTC by Mart Raudsepp
Modified: 2017-10-25 09:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+

gst1.diff (02_gstreamer-1.0.diff,1.04 KB, patch)
2017-07-03 08:40 UTC, Pacho Ramos
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mart Raudsepp gentoo-dev 2017-02-22 00:33:46 UTC
Some gstreamer 0.10 demuxers and codecs are known vulnerable and it is time to move on and not try to backport patches of bugs that happened to have a CVE stamped on it (many of which aren't easily exploitable at all, while other things might be that don't have a CVE number as it's a dead version).

However app-misc/gourmet[sound] still uses it, blocking the security cleanup.
Please remove the sound option, or look into updating the version in tree to some newer version or talking to upstream to finally make a new release - upstream git has support for newer safe gstreamer SLOT and using dev-python/pyglet instead as a higher preference as well (as a gstreamer maintainer, why would that be preferred when present is beyond me, but hey :D).

This bug is not considered fixed (to unblock 550648) until all gstreamer:0.10 referencing revisions are gone from the main tree.
Comment 1 Joe Sapp (RETIRED) gentoo-dev 2017-03-13 01:35:04 UTC
Thanks for the detailed report.  I will ask upstream and see if I can remove the option from existing versions.
Comment 2 Pacho Ramos gentoo-dev 2017-07-03 08:40:56 UTC
Created attachment 480098 [details, diff]

Debian is applying this patch for compat with gstreamer1
Comment 3 Mart Raudsepp gentoo-dev 2017-07-09 00:27:35 UTC
Joe: ping
Comment 4 Mart Raudsepp gentoo-dev 2017-07-09 00:32:52 UTC
(In reply to Pacho Ramos from comment #2)
> Created attachment 480098 [details, diff] [details, diff]
> gst1.diff
> Debian is applying this patch for compat with gstreamer1

That one looks very wrong.
It should be Gst.ElementFactory.make, and 'playbin', not 'playbin2'.
I also don't see any Gst.init(None) call anywhere, which I think is needed.
Comment 5 Joe Sapp (RETIRED) gentoo-dev 2017-07-15 01:17:02 UTC
(In reply to Pacho Ramos from comment #2)
> Created attachment 480098 [details, diff] [details, diff]
> gst1.diff
> Debian is applying this patch for compat with gstreamer1

Thanks Pacho.  I tried to use the patch but there were problems with importing.  I'm modifying the latest upstream and testing it now.

I've also removed the old ebuild, so all we have to do is wait ~1 month, stabilize it, and this bug can be closed.
Comment 6 Joe Sapp (RETIRED) gentoo-dev 2017-07-15 01:47:56 UTC
My patch is in git now.  It seems to work better with pyglet-1.2.4, but I don't think it should hold up stabilizing this package in a month.  Maybe once bug #625152 is resolved then the dep can be updated.
Comment 7 Mart Raudsepp gentoo-dev 2017-07-15 03:00:55 UTC
You don't need to wait a month, but can request earlier at maintainer discretion. I would suggest immediately, but with the pyglet stablereq as a dependency, so it gets done first. This is security relevant.
Comment 8 D'juan McDonald (domhnall) 2017-10-01 01:46:15 UTC
@Arches, please continue stabilization, Thank you.


Gentoo Security Padaway
Daj Uan (jmbailey)
Comment 9 Thomas Deutschmann gentoo-dev Security 2017-10-13 15:06:39 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-10-25 09:31:19 UTC
amd64 stable. Closing.