Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601354 (CVE-2016-10198, CVE-2016-10199, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5846, CVE-2017-5847, CVE-2017-5848) - <media-libs/gst-plugins-{good,base,bad,ugly}-1.10.3: Multiple vulnerabilities
Summary: <media-libs/gst-plugins-{good,base,bad,ugly}-1.10.3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-10198, CVE-2016-10199, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5846, CVE-2017-5847, CVE-2017-5848
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
: 600506 (view as bug list)
Depends on: 574786 608868
Blocks: 610810 611736
  Show dependency tree
 
Reported: 2016-12-01 14:41 UTC by Hanno Böck
Modified: 2017-11-02 15:31 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/gstreamer-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-libs/gst-plugins-base-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-opus-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-libvisual-1.10.3 amd64 hppa ppc ppc64 sparc x86 media-plugins/gst-plugins-cdparanoia-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-libs/gst-plugins-good-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-dv-1.10.3 alpha amd64 hppa ppc ppc64 x86 media-plugins/gst-plugins-flac-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-gdkpixbuf-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-jack-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-jpeg-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-libpng-1.10.3 alpha amd64 ppc ppc64 sparc x86 media-plugins/gst-plugins-oss-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-pulse-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-raw1394-1.10.3 amd64 ppc ppc64 x86 media-plugins/gst-plugins-shout2-1.10.3 alpha amd64 ppc ppc64 x86 media-plugins/gst-plugins-soup-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-speex-1.10.3 alpha amd64 hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-taglib-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-v4l2-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-wavpack-1.10.3 alpha amd64 hppa ppc ppc64 x86 media-plugins/gst-plugins-vpx-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 x86 media-plugins/gst-plugins-ximagesrc-1.10.3 amd64 ppc ppc64 x86 media-libs/gst-plugins-ugly-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-a52dec-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-amr-1.10.3 amd64 x86 media-plugins/gst-plugins-cdio-1.10.3 alpha amd64 ppc ppc64 x86 media-plugins/gst-plugins-dvdread-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-lame-1.10.3 alpha amd64 hppa ppc ppc64 sparc x86 media-plugins/gst-plugins-mad-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-mpeg2dec-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-sidplay-1.10.3 alpha amd64 ppc ppc64 sparc x86 media-plugins/gst-plugins-twolame-1.10.3 alpha amd64 ppc ppc64 sparc x86 media-plugins/gst-plugins-x264-1.10.3 alpha amd64 hppa ppc ppc64 sparc x86 media-plugins/gst-plugins-libav-1.10.4 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-libs/gst-plugins-bad-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-vaapi-1.10.3 amd64 x86 media-plugins/gst-plugins-assrender-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-bluez-1.10.3 amd64 x86 media-plugins/gst-plugins-dash-1.10.3 amd64 x86 media-plugins/gst-plugins-dtls-1.10.3 amd64 x86 media-plugins/gst-plugins-dts-1.10.3 amd64 hppa x86 media-plugins/gst-plugins-dvb-1.10.3 alpha amd64 arm ppc ppc64 x86 media-plugins/gst-plugins-faac-1.10.3 alpha amd64 ppc ppc64 x86 media-plugins/gst-plugins-faad-1.10.3 alpha amd64 hppa ia64 ppc ppc64 sparc x86 media-plugins/gst-plugins-hls-1.10.3 amd64 x86 media-plugins/gst-plugins-libde265-1.10.3 amd64 x86 media-plugins/gst-plugins-libmms-1.10.3 alpha amd64 hppa ppc ppc64 sparc x86 media-plugins/gst-plugins-modplug-1.10.3 amd64 hppa ppc ppc64 x86 media-plugins/gst-plugins-mpeg2enc-1.10.3 amd64 x86 media-plugins/gst-plugins-mplex-1.10.3 alpha amd64 hppa x86 media-plugins/gst-plugins-neon-1.10.3 alpha amd64 ppc ppc64 x86 media-plugins/gst-plugins-ofa-1.10.3 amd64 x86 media-plugins/gst-plugins-openh264-1.10.3 amd64 x86 media-plugins/gst-plugins-resindvd-1.10.3 alpha amd64 arm hppa ppc ppc64 sparc x86 media-plugins/gst-plugins-rtmp-1.10.3 amd64 x86 media-plugins/gst-plugins-schroedinger-1.10.3 amd64 x86 media-plugins/gst-plugins-smoothstreaming-1.10.3 amd64 x86 media-plugins/gst-plugins-soundtouch-1.10.3 amd64 x86 media-plugins/gst-plugins-uvch264-1.10.3 amd64 x86 media-plugins/gst-plugins-voaacenc-1.10.3 amd64 x86 media-plugins/gst-plugins-voamrwbenc-1.10.3 amd64 x86 media-plugins/gst-plugins-x265-1.10.3 amd64 x86 dev-python/gst-python-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 media-libs/gstreamer-editing-services-1.10.3 amd64 x86 media-libs/gst-rtsp-server-1.10.3 amd64 x86 media-plugins/gst-plugins-meta-1.10.3 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2016-12-01 14:41:21 UTC
gstreamer 1.10.2 fix multiple memory safety issues:
http://www.openwall.com/lists/oss-security/2016/12/01/2

Some of them related to Chris Evans' latest blog posts, some my fuzzing work. I can already announce that there's more to come with the next update.

from the oss-sec post:

https://bugzilla.gnome.org/show_bug.cgi?id=774859
Invalid memory read in flx_decode_chunks (gst-plugins-good)
The fix is a larger rewrite of the affected code paths and probably
fixed a bunch of other issues on the way. It also fixes the second flic
bug reported by Chris Evans described here:
https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-incorrect-fix-for-gstreamer.html

https://bugzilla.gnome.org/show_bug.cgi?id=774896
h264: one byte heap off by one read in gst_h264_parse_set_caps
(gst-plugins-bad)

https://bugzilla.gnome.org/show_bug.cgi?id=774897
Invalid memory read in glib caused by one invalid unref call in the
flxdec decoder. (gst-plugins-good)

https://bugzilla.gnome.org/show_bug.cgi?id=774902
4 byte heap out of bounds read in windows_icon_typefind
(gst-plugins-base)

https://bugzilla.gnome.org/show_bug.cgi?id=775048
2 byte heap out of bounds read in gst_mpegts_section_new
(gst-plugins-bad).

https://bugzilla.gnome.org/show_bug.cgi?id=775120
null pointer deref (segfault) in mpegts decoder / _parse_pat
(gst-plugins-bad)
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 14:54:32 UTC
*** Bug 600506 has been marked as a duplicate of this bug. ***
Comment 2 Mart Raudsepp gentoo-dev 2017-01-21 07:54:41 UTC
http://seclists.org/oss-sec/2016/q4/517 is actually the CVE-2016-9634, CVE-2016-9635, CVE-2016-9636 stuff. But keeping it on this bug as it'll all be done in one.
Adding aliases for the CVEs that were assigned for the mail copy-pasted here. Package fixes will follow soon finally.
Comment 3 Mart Raudsepp gentoo-dev 2017-02-11 12:57:28 UTC
Adding CVEs for
http://www.openwall.com/lists/oss-security/2017/02/01/7
http://www.openwall.com/lists/oss-security/2017/02/02/9
also under here as it's all handled together now.
Comment 4 Mart Raudsepp gentoo-dev 2017-02-11 12:58:13 UTC
removing cve whiteboard entry because of the new CVEs added here probably needing association in glsamaker?
Comment 5 Mart Raudsepp gentoo-dev 2017-02-11 15:33:16 UTC
Adding mention of gst-plugins-ugly to summary as at least the added CVE-2017-5847 affects that.

Arches, please test and stable the given package list. You will need ffmpeg-3 as well, as gst-plugins-libav-1.10.3 doesn't work against ffmpeg-2.8 anymore and it's too risky to keep it at 1.8.3 while the rest is 1.10 (plus it's known to be broken against ffmpeg-2.8 with missing codecs due to a bug in gst-libav-1.8.3 release). Some of you don't even have keywords for the new version yet, but well, the KEYWORDREQ for that has been open for over a year(!), so yeah, now needs to go stable immediately as well.
Comment 6 Mart Raudsepp gentoo-dev 2017-02-11 15:34:08 UTC
Removing B2 severity judgment due to 14 new CVEs added to this bug whose severity hasn't been judged yet for GLSA purposes
Comment 7 Mart Raudsepp gentoo-dev 2017-02-11 15:40:54 UTC
Note that gstreamer 0.10 SLOT is still vulnerable for many or most of this; the intention there is to last rite 0.10 slots, the GLSA(s) should just report vulnerable for 0.10 too (just not slot restricting <1.10.3 I guess)
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 01:51:17 UTC
After reviewing added CVEs, rating is still B2.

@ Maintainer(s): You changed whiteboard to "stable" and set package list but you did not CC'ed arches. Can we start stabilization or do we have to wait for bug 608868?
Comment 9 Mart Raudsepp gentoo-dev 2017-02-13 10:27:28 UTC
yes, I assumed I CCed but seem to have forgotten with all the other changes done and was starting to wonder why no-one has stabled yet.

Arches, please test and stable the given package list. You will need ffmpeg-3 as well, as gst-plugins-libav-1.10.3 doesn't work against ffmpeg-2.8 anymore and it's too risky to keep it at 1.8.3 while the rest is 1.10 (plus it's known to be broken against ffmpeg-2.8 with missing codecs due to a bug in gst-libav-1.8.3 release). Some of you don't even have keywords for the new version yet, but well, the KEYWORDREQ for that has been open for over a year(!), so yeah, now needs to go stable immediately as well.
Comment 10 Mart Raudsepp gentoo-dev 2017-02-13 10:28:46 UTC
and yes, we do need to have each architecture do bug 608868 as well, but that's marked as a depends here (gst-plugins-libav-1.10.3 needs it)
Comment 11 Stabilization helper bot gentoo-dev 2017-02-13 11:18:37 UTC
An automated check of this bug failed - repoman reported dependency errors (109 lines truncated): 

> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/gstreamer/gstreamer-1.10.3.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=sys-libs/libunwind-1.2_rc1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 12 Mart Raudsepp gentoo-dev 2017-02-13 13:17:26 UTC
Removing sanity-check result to have a re-run after package.use.stable.mask'ing USE=unwind

commit eedf9851803d65929642aea4b1edc1baaf1668d8
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Mon Feb 13 15:15:01 2017 +0200

    profiles: package.use.stable.mask media-libs/gstreamer unwind
    
    Blocking security stabilization, while only used in the leak tracer,
    which is primarily used for leak testing in upstream jenkins CI runs.
Comment 13 Markus Meier gentoo-dev 2017-02-15 17:51:08 UTC
arm stable
Comment 14 Mart Raudsepp gentoo-dev 2017-02-15 18:13:05 UTC
@arm: At least gst-plugins-libav-1.10.3 is not done; 1.8.3 is broken as-is with older ffmpeg-2.8 (missing codec exports at gst side, etc)
Comment 15 Mart Raudsepp gentoo-dev 2017-02-15 21:20:07 UTC
Adding media-plugins/gst-plugins-meta-1.10.3 to the list to have the metapackage force security fixed versions as well. Some keywords were dropped on that for now due to gst-plugins-libav keywords droppage due to the delayed keywording of ffmpeg-3.2; should straight to stable this as well after doing gst-plugins-libav.
Comment 16 Agostino Sarubbo gentoo-dev 2017-02-16 13:25:57 UTC
amd64 stable
Comment 17 Joakim Tjernlund 2017-02-16 15:28:57 UTC
You forgot to stable 
media-plugins/gst-plugins-srtp-1.10.3
Comment 18 Mart Raudsepp gentoo-dev 2017-02-16 15:43:52 UTC
(In reply to Joakim Tjernlund from comment #17)
> You forgot to stable 
> media-plugins/gst-plugins-srtp-1.10.3

that has never been in stable yet; if you want it stable, then it's a separate newstable request in a new bug.
Comment 19 Joakim Tjernlund 2017-02-16 16:18:17 UTC
(In reply to Mart Raudsepp from comment #18)
> (In reply to Joakim Tjernlund from comment #17)
> > You forgot to stable 
> > media-plugins/gst-plugins-srtp-1.10.3
> 
> that has never been in stable yet; if you want it stable, then it's a
> separate newstable request in a new bug.

New bug in
https://bugs.gentoo.org/show_bug.cgi?id=609540
Comment 20 Agostino Sarubbo gentoo-dev 2017-02-16 17:26:45 UTC
x86 stable
Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-19 12:00:35 UTC
Stable for HPPA.
Comment 22 Agostino Sarubbo gentoo-dev 2017-02-24 13:51:22 UTC
ppc64 stable
Comment 23 Agostino Sarubbo gentoo-dev 2017-02-24 14:08:04 UTC
ppc stable
Comment 24 Mart Raudsepp gentoo-dev 2017-02-24 20:18:14 UTC
Updating gst-plugins-libav target from 1.10.3 to 1.10.4 for security bug 610810, so arches that haven't done it yet, can do it immediately instead.
Comment 25 Mart Raudsepp gentoo-dev 2017-03-23 01:01:51 UTC
Removing arm@ CC again; the missed gst-plugins-libav got done via bug 610810 and I think nothing else was missed.
Comment 26 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 14:07:48 UTC
Stable on alpha.
Comment 27 Yury German Gentoo Infrastructure gentoo-dev 2017-04-26 01:18:32 UTC
Can not wait on sparc any longer.
Arches, Thank you for your work.
New GLSA Request filed.
Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2017-05-18 02:14:45 UTC
This issue was resolved and addressed in
 GLSA 201705-10 at https://security.gentoo.org/glsa/201705-10
by GLSA coordinator Yury German (BlueKnight).
Comment 29 Yury German Gentoo Infrastructure gentoo-dev 2017-05-18 03:52:50 UTC
ReOpening for stabilization of ia64 and sparc, please finish stabilization or drop from stable.
Comment 30 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-10 20:36:51 UTC
ia64 stable
Comment 31 Mart Raudsepp gentoo-dev 2017-09-02 04:26:28 UTC
Due to sparc failing to action this in any reasonable timeline, I have went ahead and dropped all stable sparc keywords on gstreamer things, dropping them to ~sparc for now. If they don't wake up, I may grow a desire to also drop the ~sparc keywords at some point in the future.
All keywords were dropped on gst-plugins-libav, as they have also failed to re-keyword ffmpeg-3.2+ and newer gst-plugins-libav.
Should sparc ever feel like catching up with this and re-stabilizing things, then there's a bunch of gstreamer package.use.mask and package.use.stable.mask in there now to cleanly remove the keywords without touching stuff I don't maintain - these might get converted to a global use.stable.mask or use.mask for sparc in the future, once 0.10 exits the tree.

With this cleanup for gstreamer 1.0 got done as well, albeit some of these vulnerabilities probably affect gstreamer 0.10 things, which are still pending on bug 550648 for cleanup