Skip to content

Commit

Permalink
gstreamer-*: 1.10.2 -> 1.10.3 for multiple CVEs
Browse files Browse the repository at this point in the history 
gst-plugins-bad:
From the Arch Linux advisory:
 - CVE-2017-5843 (arbitrary code execution): A double-free issue has
 been found in gstreamer before 1.10.3, in
 gst_mxf_demux_update_essence_tracks.

- CVE-2017-5848 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in gst_ps_demux_parse_psm.
More: https://lwn.net/Vulnerabilities/713772/

gst-plugins-base:
From the Arch Linux advisory:

- CVE-2017-5837 (denial of service): A floating point exception issue
  has been found in gstreamer before 1.10.3, in
  gst_riff_create_audio_caps.

- CVE-2017-5839 (denial of service): An endless recursion issue
  leading to stack overflow has been found in gstreamer before 1.10.3,
  in gst_riff_create_audio_caps.

- CVE-2017-5842 (arbitrary code execution): An off-by-one write has
  been found in gstreamer before 1.10.3, in
  html_context_handle_element.

- CVE-2017-5844 (denial of service): A floating point exception issue
  has been found in gstreamer before 1.10.3, in
  gst_riff_create_audio_caps.
More: https://lwn.net/Vulnerabilities/713773/

gst-plugins-good:
From the Arch Linux advisory:

- CVE-2016-10198 (denial of service): An invalid memory read flaw has
  been found in gstreamer before 1.10.3, in
  gst_aac_parse_sink_setcaps.

- CVE-2016-10199 (denial of service): An out of bounds read has been
  found in gstreamer before 1.10.3, in qtdemux_tag_add_str_full.

- CVE-2017-5840 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in qtdemux_parse_samples.

- CVE-2017-5841 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.

- CVE-2017-5845 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
More: https://lwn.net/Vulnerabilities/713774/

gst-plugins-ugly:
From the Arch Linux advisory:

- CVE-2017-5846 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in
  gst_asf_demux_process_ext_stream_props.

- CVE-2017-5847 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in
  gst_asf_demux_process_ext_content_desc.
More: https://lwn.net/Vulnerabilities/713775/

gstreamer:
From the Arch Linux advisory:

An out of bounds read has been found in gstreamer before 1.10.3, in
gst_date_time_new_from_iso8601_string.
More: https://lwn.net/Vulnerabilities/713776/
  • Loading branch information
@grahamc
grahamc committed Feb 8, 2017
1 parent 9d30099 commit afd5981
Show file tree
Hide file tree
Showing 10 changed files with 20 additions and 20 deletions.
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/bad/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ let
inherit (stdenv.lib) optional optionalString;
in
stdenv.mkDerivation rec {
name = "gst-plugins-bad-1.10.2";
name = "gst-plugins-bad-1.10.3";

meta = with stdenv.lib; {
description = "Gstreamer Bad Plugins";
Expand All @@ -31,7 +31,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gst-plugins-bad/${name}.tar.xz";
sha256 = "0fisnnfpp3s8pbm6hjrfi4wjpq2da8c6w3ns9pjcg7590f9wm587";
sha256 = "1rwla1p57yzygb68z2xk5l5kvqzj5w3nxq0davkwk139zd8r6294";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/base/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
}:

stdenv.mkDerivation rec {
name = "gst-plugins-base-1.10.2";
name = "gst-plugins-base-1.10.3";

meta = {
description = "Base plugins and helper libraries";
Expand All @@ -15,7 +15,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gst-plugins-base/${name}.tar.xz";
sha256 = "086yjwmp4fykcqkj6zqhwrk2z49981kl8x545vz2wvblrc7x9h7v";
sha256 = "040pifl4cgsqqz2si4s1y5khj3zwm39w21siagxwp805swbrcag6";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/core/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
}:

stdenv.mkDerivation rec {
name = "gstreamer-1.10.2";
name = "gstreamer-1.10.3";

meta = {
description = "Open source multimedia framework";
Expand All @@ -15,7 +15,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gstreamer/${name}.tar.xz";
sha256 = "0rcd4ya4k99x6ngm9v78as7ql0rqibkwshc13lb4rjdszs0qw3hm";
sha256 = "0gdnxg5igbhnpjhrzp31w1ww95j805byqd6mj3x29wli54dxrfc5";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/ges/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
}:

stdenv.mkDerivation rec {
name = "gstreamer-editing-services-1.10.2";
name = "gstreamer-editing-services-1.10.3";

meta = with stdenv.lib; {
description = "Library for creation of audio/video non-linear editors";
Expand All @@ -14,7 +14,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gstreamer-editing-services/${name}.tar.xz";
sha256 = "0hx7bwj8li88qq09slvdxlnfq76hr35nyjvd4ixrz5gmkpmrl5fv";
sha256 = "0ax3qbi1m4wcii03ysln3lm8nhw3fr2rd35ndfy4mr4vg2nm5gxw";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/good/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ let
inherit (stdenv.lib) optionals optionalString;
in
stdenv.mkDerivation rec {
name = "gst-plugins-good-1.10.2";
name = "gst-plugins-good-1.10.3";

meta = with stdenv.lib; {
description = "Gstreamer Good Plugins";
Expand All @@ -26,7 +26,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gst-plugins-good/${name}.tar.xz";
sha256 = "04rksbhjj2yz32g523cfabwqn2s3byd94dpbxghxr0p9ridk53qr";
sha256 = "0mar8ss8bvpz699ql4kgndvna8qsv7kj372py4435ffl6hzfj1sf";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/libav/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
assert withSystemLibav -> libav != null;

stdenv.mkDerivation rec {
name = "gst-libav-1.10.2";
name = "gst-libav-1.10.3";

meta = {
homepage = "http://gstreamer.freedesktop.org";
Expand All @@ -19,7 +19,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gst-libav/${name}.tar.xz";
sha256 = "0g778j7w4vpbhwjzyrzpajvr26nxm6vqby84v8g1w1hz44v71pd3";
sha256 = "1aajayv63ardkbmcg7pnh2d87r067325a5wzinwihaw6n5jw2sws";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/python/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@
let
inherit (pythonPackages) python pygobject3;
in stdenv.mkDerivation rec {
name = "gst-python-1.10.2";
name = "gst-python-1.10.3";

src = fetchurl {
urls = [
"${meta.homepage}/src/gst-python/${name}.tar.xz"
"mirror://gentoo/distfiles/${name}.tar.xz"
];
sha256 = "1sljnqkxf2ix6yzghrapw5irl0rbp8aa8w2hggk7i6d9js10ls71";
sha256 = "1sljnqkxf2ix7yzghrapw5irl0rbp8aa8w2hggk7i6d9js10ls71";
};

patches = [ ./different-path-with-pygobject.patch ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/ugly/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
}:

stdenv.mkDerivation rec {
name = "gst-plugins-ugly-1.10.2";
name = "gst-plugins-ugly-1.10.3";

meta = with stdenv.lib; {
description = "Gstreamer Ugly Plugins";
Expand All @@ -22,7 +22,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gst-plugins-ugly/${name}.tar.xz";
sha256 = "17gc2zd3v6spmm2d6912sqfcyyv5f2ghdhq31f5kx5mw5r6ds0zk";
sha256 = "1lkb8kznc9wxmhbp7k67b50y27nz8jp2x2flb91xzydz7b89f5f9";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/vaapi/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@

stdenv.mkDerivation rec {
name = "gst-vaapi-${version}";
version = "1.10.2";
version = "1.10.3";

src = fetchurl {
url = "${meta.homepage}/src/gstreamer-vaapi/gstreamer-vaapi-${version}.tar.xz";
sha256 = "1abzaj9kczap1xmalgzid1k3gqcn1ghnn76cn2kclc1gbfwd4ccy";
sha256 = "07ing6z7n0ylz5vknk3d2lw54a6szd6m8hqc3px6lahmd832ga6f";
};

outputs = [ "out" "dev" ];
Expand Down
4 changes: 2 additions & 2 deletions pkgs/development/libraries/gstreamer/validate/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
}:

stdenv.mkDerivation rec {
name = "gst-validate-1.10.2";
name = "gst-validate-1.10.3";

meta = {
description = "Integration testing infrastructure for the GStreamer framework";
Expand All @@ -14,7 +14,7 @@ stdenv.mkDerivation rec {

src = fetchurl {
url = "${meta.homepage}/src/gst-validate/${name}.tar.xz";
sha256 = "1mwyk3b19aq78mjhmrpc7qqs9flrykrn1j763g5wx546swc489xy";
sha256 = "00icav26pj81cxdykf86rp3jw6lb178ydrqhcck43i94jdb4hsxy";
};

outputs = [ "out" "dev" ];
Expand Down

2 comments on commit afd5981

@vcunat
Copy link
Member

@vcunat vcunat commented on afd5981 Feb 26, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, two of the DOS vulnerabilities are mentioned even in 1.10.4: https://gstreamer.freedesktop.org/releases/1.10/#1.10.4

@fpletz
Copy link
Member

@fpletz fpletz commented on afd5981 Feb 26, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's weird. Though I would rather trust upstream on this because Arch could have just added patches in their version to fix the issues. I'll package the new version.

Please sign in to comment.