Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Yury German <blueknight@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201705-10 ] GStreamer plug-ins: User-assisted execution of arbitrary code
Date: Thu, 18 May 2017 02:14:42
Message-Id: ac83db39-3168-7e34-2a8b-a6d67dd1d89f@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201705-10
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: GStreamer plug-ins: User-assisted execution of arbitrary code
9 Date: May 18, 2017
10 Bugs: #600142, #601354
11 ID: 201705-10
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in various GStreamer plug-ins,
19 the worst of which could lead to the execution of arbitrary code.
20
21 Background
22 ==========
23
24 The GStreamer plug-ins provide decoders to the GStreamer open source
25 media framework.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 media-libs/gst-plugins-bad
34 < 1.10.3 >= 1.10.3
35 2 media-libs/gst-plugins-good
36 < 1.10.3 >= 1.10.3
37 3 media-libs/gst-plugins-base
38 < 1.10.3 >= 1.10.3
39 4 media-libs/gst-plugins-ugly
40 < 1.10.3 >= 1.10.3
41 -------------------------------------------------------------------
42 4 affected packages
43
44 Description
45 ===========
46
47 Multiple vulnerabilities have been discovered in various GStreamer
48 plug-ins. Please review the CVE identifiers referenced below for
49 details.
50
51 Impact
52 ======
53
54 A remote attacker could entice a user or automated system using a
55 GStreamer plug-in to process a specially crafted file, resulting in the
56 execution of arbitrary code or a Denial of Service.
57
58 Workaround
59 ==========
60
61 There is no known workaround at this time.
62
63 Resolution
64 ==========
65
66 All gst-plugins-bad users should upgrade to the latest version:
67
68 # emerge --sync
69 # emerge --ask --oneshot -v ">=media-libs/gst-plugins-bad-1.10.3:1.0"
70
71 All gst-plugins-good users should upgrade to the latest version:
72
73 # emerge --sync
74 # emerge -a --oneshot -v ">=media-libs/gst-plugins-good-1.10.3:1.0"
75
76 All gst-plugins-base users should upgrade to the latest version:
77
78 # emerge --sync
79 # emerge -a --oneshot -v ">=media-libs/gst-plugins-base-1.10.3:1.0"
80
81 All gst-plugins-ugly users should upgrade to the latest version:
82
83 # emerge --sync
84 # emerge -a --oneshot -v ">=media-libs/gst-plugins-ugly-1.10.3:1.0"
85
86 References
87 ==========
88
89 [ 1 ] CVE-2016-10198
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10198
91 [ 2 ] CVE-2016-10199
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10199
93 [ 3 ] CVE-2016-9445
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9445
95 [ 4 ] CVE-2016-9446
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9446
97 [ 5 ] CVE-2016-9447
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9447
99 [ 6 ] CVE-2016-9634
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9634
101 [ 7 ] CVE-2016-9635
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9635
103 [ 8 ] CVE-2016-9636
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9636
105 [ 9 ] CVE-2016-9807
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9807
107 [ 10 ] CVE-2016-9808
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9808
109 [ 11 ] CVE-2016-9809
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9809
111 [ 12 ] CVE-2016-9810
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9810
113 [ 13 ] CVE-2016-9811
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9811
115 [ 14 ] CVE-2016-9812
116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9812
117 [ 15 ] CVE-2016-9813
118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9813
119 [ 16 ] CVE-2017-5837
120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5837
121 [ 17 ] CVE-2017-5838
122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5838
123 [ 18 ] CVE-2017-5839
124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5839
125 [ 19 ] CVE-2017-5840
126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5840
127 [ 20 ] CVE-2017-5841
128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5841
129 [ 21 ] CVE-2017-5842
130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5842
131 [ 22 ] CVE-2017-5843
132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5843
133 [ 23 ] CVE-2017-5844
134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5844
135 [ 24 ] CVE-2017-5845
136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5845
137 [ 25 ] CVE-2017-5846
138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5846
139 [ 26 ] CVE-2017-5847
140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5847
141 [ 27 ] CVE-2017-5848
142 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5848
143
144 Availability
145 ============
146
147 This GLSA and any updates to it are available for viewing at
148 the Gentoo Security Website:
149
150 https://security.gentoo.org/glsa/201705-10
151
152 Concerns?
153 =========
154
155 Security is a primary focus of Gentoo Linux and ensuring the
156 confidentiality and security of our users' machines is of utmost
157 importance to us. Any security concerns should be addressed to
158 security@g.o or alternatively, you may file a bug at
159 https://bugs.gentoo.org.
160
161 License
162 =======
163
164 Copyright 2017 Gentoo Foundation, Inc; referenced text
165 belongs to its owner(s).
166
167 The contents of this document are licensed under the
168 Creative Commons - Attribution / Share Alike license.
169
170 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups