Comment 1 Thomas Deutschmann (RETIRED) 2016-12-01 14:54:32 UTC

*** Bug 600506 has been marked as a duplicate of this bug. ***

Comment 2 Mart Raudsepp 2017-01-21 07:54:41 UTC

http://seclists.org/oss-sec/2016/q4/517 is actually the CVE-2016-9634, CVE-2016-9635, CVE-2016-9636 stuff. But keeping it on this bug as it'll all be done in one.
Adding aliases for the CVEs that were assigned for the mail copy-pasted here. Package fixes will follow soon finally.

Comment 3 Mart Raudsepp 2017-02-11 12:57:28 UTC

Adding CVEs for
http://www.openwall.com/lists/oss-security/2017/02/01/7
http://www.openwall.com/lists/oss-security/2017/02/02/9
also under here as it's all handled together now.

Comment 4 Mart Raudsepp 2017-02-11 12:58:13 UTC

removing cve whiteboard entry because of the new CVEs added here probably needing association in glsamaker?

Comment 5 Mart Raudsepp 2017-02-11 15:33:16 UTC

Adding mention of gst-plugins-ugly to summary as at least the added CVE-2017-5847 affects that.

Arches, please test and stable the given package list. You will need ffmpeg-3 as well, as gst-plugins-libav-1.10.3 doesn't work against ffmpeg-2.8 anymore and it's too risky to keep it at 1.8.3 while the rest is 1.10 (plus it's known to be broken against ffmpeg-2.8 with missing codecs due to a bug in gst-libav-1.8.3 release). Some of you don't even have keywords for the new version yet, but well, the KEYWORDREQ for that has been open for over a year(!), so yeah, now needs to go stable immediately as well.

Comment 6 Mart Raudsepp 2017-02-11 15:34:08 UTC

Removing B2 severity judgment due to 14 new CVEs added to this bug whose severity hasn't been judged yet for GLSA purposes

Comment 7 Mart Raudsepp 2017-02-11 15:40:54 UTC

Note that gstreamer 0.10 SLOT is still vulnerable for many or most of this; the intention there is to last rite 0.10 slots, the GLSA(s) should just report vulnerable for 0.10 too (just not slot restricting <1.10.3 I guess)

Comment 8 Thomas Deutschmann (RETIRED) 2017-02-13 01:51:17 UTC

After reviewing added CVEs, rating is still B2.

@ Maintainer(s): You changed whiteboard to "stable" and set package list but you did not CC'ed arches. Can we start stabilization or do we have to wait for bug 608868?

Comment 9 Mart Raudsepp 2017-02-13 10:27:28 UTC

yes, I assumed I CCed but seem to have forgotten with all the other changes done and was starting to wonder why no-one has stabled yet.

Arches, please test and stable the given package list. You will need ffmpeg-3 as well, as gst-plugins-libav-1.10.3 doesn't work against ffmpeg-2.8 anymore and it's too risky to keep it at 1.8.3 while the rest is 1.10 (plus it's known to be broken against ffmpeg-2.8 with missing codecs due to a bug in gst-libav-1.8.3 release). Some of you don't even have keywords for the new version yet, but well, the KEYWORDREQ for that has been open for over a year(!), so yeah, now needs to go stable immediately as well.

Comment 10 Mart Raudsepp 2017-02-13 10:28:46 UTC

and yes, we do need to have each architecture do bug 608868 as well, but that's marked as a depends here (gst-plugins-libav-1.10.3 needs it)

Comment 11 Stabilization helper bot 2017-02-13 11:18:37 UTC

An automated check of this bug failed - repoman reported dependency errors (109 lines truncated): 

> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']

Comment 12 Mart Raudsepp 2017-02-13 13:17:26 UTC

Removing sanity-check result to have a re-run after package.use.stable.mask'ing USE=unwind

commit eedf9851803d65929642aea4b1edc1baaf1668d8
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Mon Feb 13 15:15:01 2017 +0200

    profiles: package.use.stable.mask media-libs/gstreamer unwind
    
    Blocking security stabilization, while only used in the leak tracer,
    which is primarily used for leak testing in upstream jenkins CI runs.

Comment 13 Markus Meier 2017-02-15 17:51:08 UTC

arm stable

Comment 14 Mart Raudsepp 2017-02-15 18:13:05 UTC

@arm: At least gst-plugins-libav-1.10.3 is not done; 1.8.3 is broken as-is with older ffmpeg-2.8 (missing codec exports at gst side, etc)

Comment 15 Mart Raudsepp 2017-02-15 21:20:07 UTC

Adding media-plugins/gst-plugins-meta-1.10.3 to the list to have the metapackage force security fixed versions as well. Some keywords were dropped on that for now due to gst-plugins-libav keywords droppage due to the delayed keywording of ffmpeg-3.2; should straight to stable this as well after doing gst-plugins-libav.

Comment 16 Agostino Sarubbo 2017-02-16 13:25:57 UTC

amd64 stable

You forgot to stable 
media-plugins/gst-plugins-srtp-1.10.3

Comment 18 Mart Raudsepp 2017-02-16 15:43:52 UTC

(In reply to Joakim Tjernlund from comment #17)
> You forgot to stable 
> media-plugins/gst-plugins-srtp-1.10.3

that has never been in stable yet; if you want it stable, then it's a separate newstable request in a new bug.

(In reply to Mart Raudsepp from comment #18)
> (In reply to Joakim Tjernlund from comment #17)
> > You forgot to stable 
> > media-plugins/gst-plugins-srtp-1.10.3
> 
> that has never been in stable yet; if you want it stable, then it's a
> separate newstable request in a new bug.

New bug in
https://bugs.gentoo.org/show_bug.cgi?id=609540

Comment 20 Agostino Sarubbo 2017-02-16 17:26:45 UTC

x86 stable

Comment 21 Jeroen Roovers (RETIRED) 2017-02-19 12:00:35 UTC

Stable for HPPA.

Comment 22 Agostino Sarubbo 2017-02-24 13:51:22 UTC

ppc64 stable

Comment 23 Agostino Sarubbo 2017-02-24 14:08:04 UTC

ppc stable

Comment 24 Mart Raudsepp 2017-02-24 20:18:14 UTC

Updating gst-plugins-libav target from 1.10.3 to 1.10.4 for security bug 610810, so arches that haven't done it yet, can do it immediately instead.

Comment 25 Mart Raudsepp 2017-03-23 01:01:51 UTC

Removing arm@ CC again; the missed gst-plugins-libav got done via bug 610810 and I think nothing else was missed.

Comment 26 Tobias Klausmann (RETIRED) 2017-04-05 14:07:48 UTC

Stable on alpha.

Comment 27 Yury German 2017-04-26 01:18:32 UTC

Can not wait on sparc any longer.
Arches, Thank you for your work.
New GLSA Request filed.

Comment 28 GLSAMaker/CVETool Bot 2017-05-18 02:14:45 UTC

This issue was resolved and addressed in
 GLSA 201705-10 at https://security.gentoo.org/glsa/201705-10
by GLSA coordinator Yury German (BlueKnight).

Comment 29 Yury German 2017-05-18 03:52:50 UTC

ReOpening for stabilization of ia64 and sparc, please finish stabilization or drop from stable.

Comment 30 Sergei Trofimovich (RETIRED) 2017-06-10 20:36:51 UTC

ia64 stable

Comment 31 Mart Raudsepp 2017-09-02 04:26:28 UTC

Due to sparc failing to action this in any reasonable timeline, I have went ahead and dropped all stable sparc keywords on gstreamer things, dropping them to ~sparc for now. If they don't wake up, I may grow a desire to also drop the ~sparc keywords at some point in the future.
All keywords were dropped on gst-plugins-libav, as they have also failed to re-keyword ffmpeg-3.2+ and newer gst-plugins-libav.
Should sparc ever feel like catching up with this and re-stabilizing things, then there's a bunch of gstreamer package.use.mask and package.use.stable.mask in there now to cleanly remove the keywords without touching stuff I don't maintain - these might get converted to a global use.stable.mask or use.mask for sparc in the future, once 0.10 exits the tree.

With this cleanup for gstreamer 1.0 got done as well, albeit some of these vulnerabilities probably affect gstreamer 0.10 things, which are still pending on bug 550648 for cleanup