Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610810 - <media-plugins/gst-plugins-libav-1.10.4: Vulnerable to CVE-2017-{5024,5025} due to bundled ffmpeg-3.2.2
Summary: <media-plugins/gst-plugins-libav-1.10.4: Vulnerable to CVE-2017-{5024,5025} d...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on: CVE-2016-10198, CVE-2016-10199, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5846, CVE-2017-5847, CVE-2017-5848 608868
  Show dependency tree
Reported: 2017-02-24 15:25 UTC by Mart Raudsepp
Modified: 2017-11-02 15:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Mart Raudsepp gentoo-dev 2017-02-24 15:25:04 UTC
gst-plugins-libav-1.10.3 is being stabled for other gstreamer vulnerabilities (just to stay in sync with others and thus work together properly), but bundles ffmpeg-3.2.2, which received security fixes in 3.2.4 release.
This bundled copy of ffmpeg is used with USE=libav, to support system-libav choice over system-ffmpeg - it is buggy with libav (upstream welcomes patches to fix that, but no-one has done it), and thus we instead use the bundled ffmpeg with USE=libav (commonly set globally by users of system libav), as we can't depend on system ffmpeg when the user has chosen to use system libav instead as they can't be both installed on the system.

The gst-libav-1.10.4 release updates the bundled version to 3.2.4, thus fixing the vulnerabilities if media-plugins/gst-plugins-libav[libav] is used.
Comment 1 Mart Raudsepp gentoo-dev 2017-02-24 20:16:50 UTC
Hello arches, please stabilize media-video/gst-plugins-libav-1.10.4 as it bundled ffmpeg code, which is used with USE=libav. This bundled code received update from ffmpeg-3.2.2 to ffmpeg-3.2.4 for security fixes as also done for system ffmpeg in bug 608868.
I have light tested it to work fine together with rest of gst 1.10.3 and checked the changes to only include this bundling update and an irrelevant configure change, so this security stabilization doesn't necessitate stabling of the rest of gst1.10.4 - 1.10.3 is sufficient as stabilized in bug 601354.
Comment 2 Stabilization helper bot gentoo-dev 2017-02-24 21:08:21 UTC
An automated check of this bug failed - repoman reported dependency errors (57 lines truncated): 

> dependency.bad media-plugins/gst-plugins-libav/gst-plugins-libav-1.10.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-video/ffmpeg-3.2.4:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-plugins/gst-plugins-libav/gst-plugins-libav-1.10.4.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-video/ffmpeg-3.2.4:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-plugins/gst-plugins-libav/gst-plugins-libav-1.10.4.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-video/ffmpeg-3.2.4:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 3 Mart Raudsepp gentoo-dev 2017-02-24 22:26:31 UTC
apparently stablebot isn't grokking dep bug of dep bug..
Comment 4 Stabilization helper bot gentoo-dev 2017-02-24 22:46:21 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-25 09:57:24 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-25 09:58:32 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-02-28 17:34:13 UTC
arm stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-08 05:13:19 UTC
Stable for HPPA PPC64.
Comment 9 Michael Weber (RETIRED) gentoo-dev 2017-03-14 23:06:01 UTC
ppc stable.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 14:07:40 UTC
Stable on alpha.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2017-04-26 01:21:05 UTC
Arches, Thank you for your work.
Added to an existing GLSA Request.

Can not wait on sparc. Will write and release without stable spare.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 19:35:37 UTC
This issue was resolved and addressed in
 GLSA 201705-05 at
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2017-05-18 03:50:48 UTC
Re-Opening for SPARC and IA64
Comment 14 Mart Raudsepp gentoo-dev 2017-06-18 08:03:23 UTC
ia64 got done with the rest on bug 601354 (where I updated the target to keep things in batch for the slow ones)
Comment 15 Mart Raudsepp gentoo-dev 2017-09-02 04:30:41 UTC
I've removed all sparc keywords from gst-plugins-libav due to no responses.
I've also cleaned up all older versions than 1.10.4 now thanks to that.

There's already 1.10.5 getting stabilized as well, but some arches are being slow there, but that's a concern for some other bug. Though we don't have other bugs about gst-plugins-libav bundling vulnerable ffmpeg, that gets used with USE=libav, and I'm pretty sure 1.10.5 doesn't have a new enough one...