-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
gstreamer-*: 1.10.2 -> 1.10.3 for multiple CVEs
gst-plugins-bad: From the Arch Linux advisory: - CVE-2017-5843 (arbitrary code execution): A double-free issue has been found in gstreamer before 1.10.3, in gst_mxf_demux_update_essence_tracks. - CVE-2017-5848 (denial of service): An out-of-bounds read has been found in gstreamer before 1.10.3, in gst_ps_demux_parse_psm. More: https://lwn.net/Vulnerabilities/713772/ gst-plugins-base: From the Arch Linux advisory: - CVE-2017-5837 (denial of service): A floating point exception issue has been found in gstreamer before 1.10.3, in gst_riff_create_audio_caps. - CVE-2017-5839 (denial of service): An endless recursion issue leading to stack overflow has been found in gstreamer before 1.10.3, in gst_riff_create_audio_caps. - CVE-2017-5842 (arbitrary code execution): An off-by-one write has been found in gstreamer before 1.10.3, in html_context_handle_element. - CVE-2017-5844 (denial of service): A floating point exception issue has been found in gstreamer before 1.10.3, in gst_riff_create_audio_caps. More: https://lwn.net/Vulnerabilities/713773/ gst-plugins-good: From the Arch Linux advisory: - CVE-2016-10198 (denial of service): An invalid memory read flaw has been found in gstreamer before 1.10.3, in gst_aac_parse_sink_setcaps. - CVE-2016-10199 (denial of service): An out of bounds read has been found in gstreamer before 1.10.3, in qtdemux_tag_add_str_full. - CVE-2017-5840 (denial of service): An out-of-bounds read has been found in gstreamer before 1.10.3, in qtdemux_parse_samples. - CVE-2017-5841 (denial of service): An out-of-bounds read has been found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt. - CVE-2017-5845 (denial of service): An out-of-bounds read has been found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt. More: https://lwn.net/Vulnerabilities/713774/ gst-plugins-ugly: From the Arch Linux advisory: - CVE-2017-5846 (denial of service): An out-of-bounds read has been found in gstreamer before 1.10.3, in gst_asf_demux_process_ext_stream_props. - CVE-2017-5847 (denial of service): An out-of-bounds read has been found in gstreamer before 1.10.3, in gst_asf_demux_process_ext_content_desc. More: https://lwn.net/Vulnerabilities/713775/ gstreamer: From the Arch Linux advisory: An out of bounds read has been found in gstreamer before 1.10.3, in gst_date_time_new_from_iso8601_string. More: https://lwn.net/Vulnerabilities/713776/
- Loading branch information
Showing
10 changed files
with
20 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
afd5981
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, two of the DOS vulnerabilities are mentioned even in 1.10.4: https://gstreamer.freedesktop.org/releases/1.10/#1.10.4
afd5981
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's weird. Though I would rather trust upstream on this because Arch could have just added patches in their version to fix the issues. I'll package the new version.