Gentoo Archives: gentoo-user

From:	"»Q«" <boxcars@×××.net>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)
Date:	Mon, 11 Jan 2016 23:02:22
Message-Id:	`20160111170051.7bf6d23c@sepulchrave.remarqs`
In Reply to:	Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10) by David Haller

1	On Thu, 7 Jan 2016 23:45:38 +0100
2	David Haller <gentoo@×××××××.de> wrote:
3
4	> On Wed, 06 Jan 2016, »Q« wrote:
5	> >On Tue, 5 Jan 2016 08:26:42 -0800
6	> >Grant <emailgrant@×××××.com> wrote:
7	> >
8	> >> > AFAICT, details of the gstreamer bug itself haven't been made
9	> >> > public yet, and nobody is sure whether the unmaintained 0.10
10	> >> > branch needs a patch. See
11	> >> > <https://bugs.gentoo.org/show_bug.cgi?id=553742#c11> and the
12	> >> > following comment.
13	> >>
14	> >> So everyone is just living with the supposed security
15	> >> vulnerability on their system?
16	> >
17	> >Not everyone. SUSE and Debian seem to have patches for this for
18	> >0.10.
19	> >
20	> ><https://www.suse.com/security/cve/CVE-2015-0797.html>
21	> >
22	> ><https://www.debian.org/security/2015/dsa-3225>
23	>
24	> https://build.opensuse.org/package/view_file/multimedia:libs/gstreamer-0_10-plugins-bad/gstreamer-0_10-plugins-bad-mp4-overflow.patch?expand=1
25
26	The bug is fixed -- that patch is applied in gst-plugins-bad-0.10.23-r3.
27
28	I understand there's effectively no longer an upstream for 0.10, but
29	still it's disconcerting that a patch made it from Mozilla to Debian
30	and SUSE (and who knows who else) months ago without other distros
31	finding out about it. Maybe that's why access to Mozilla's bug entry
32	is still restricted.
33
34	I guess there's nothing to do but for us be vigilant until eventually
35	all the things that depend on 0.10 are gone and we no longer need it.

Subject	Author
Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)	Grant <emailgrant@×××××.com>