Some gstreamer 0.10 demuxers and codecs are known vulnerable and it is time to move on and not try to backport patches of bugs that happened to have a CVE stamped on it (many of which aren't easily exploitable at all, while other things might be that don't have a CVE number as it's a dead version). However app-misc/gourmet[sound] still uses it, blocking the security cleanup. Please remove the sound option, or look into updating the version in tree to some newer version or talking to upstream to finally make a new release - upstream git has support for newer safe gstreamer SLOT and using dev-python/pyglet instead as a higher preference as well (as a gstreamer maintainer, why would that be preferred when present is beyond me, but hey :D). This bug is not considered fixed (to unblock 550648) until all gstreamer:0.10 referencing revisions are gone from the main tree.
Thanks for the detailed report. I will ask upstream and see if I can remove the option from existing versions.
Created attachment 480098 [details, diff] gst1.diff Debian is applying this patch for compat with gstreamer1
Joe: ping
(In reply to Pacho Ramos from comment #2) > Created attachment 480098 [details, diff] [details, diff] > gst1.diff > > Debian is applying this patch for compat with gstreamer1 That one looks very wrong. It should be Gst.ElementFactory.make, and 'playbin', not 'playbin2'. I also don't see any Gst.init(None) call anywhere, which I think is needed.
(In reply to Pacho Ramos from comment #2) > Created attachment 480098 [details, diff] [details, diff] > gst1.diff > > Debian is applying this patch for compat with gstreamer1 Thanks Pacho. I tried to use the patch but there were problems with importing. I'm modifying the latest upstream and testing it now. I've also removed the old ebuild, so all we have to do is wait ~1 month, stabilize it, and this bug can be closed.
My patch is in git now. It seems to work better with pyglet-1.2.4, but I don't think it should hold up stabilizing this package in a month. Maybe once bug #625152 is resolved then the dep can be updated.
You don't need to wait a month, but can request earlier at maintainer discretion. I would suggest immediately, but with the pyglet stablereq as a dependency, so it gets done first. This is security relevant.
@Arches, please continue stabilization, Thank you. =app-misc/gourmet-0.17.4-r2 Gentoo Security Padaway Daj Uan (jmbailey)
x86 stable
amd64 stable. Closing.