Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
GLSA 201705-10, gst-plugins-*:0.10 and glsa-check
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
wpettersson
n00b
n00b


Joined: 04 Jun 2014
Posts: 14

PostPosted: Mon May 22, 2017 3:41 am    Post subject: GLSA 201705-10, gst-plugins-*:0.10 and glsa-check Reply with quote

So I noticed GLSA 201705-10 (https://security.gentoo.org/glsa/201705-10) pop up recently. It affects <gst-plugins-{good,bad,base,ugly}-1.10.3. I have version 1.10.3 installed for all these, but as these plugins are slotted I also have 0.10.* versions of them installed. I've checked the bug reports, but it's not clear. Does this bug affect the 0.10 slotted versions of gstreamer? If not, is the GLSA not clear on this, or is glsa-check not correctly identifying the correct vulnerability?

Installed plugins on my system
Code:
$ eix -Ic gst-plugins-                 
[I] media-libs/gst-plugins-bad (0.10.23-r4(0.10)@25/11/16 1.10.3(1.0)@18/02/17): Less plugins for GStreamer
[I] media-libs/gst-plugins-base (0.10.36-r2(0.10)@30/03/15 1.10.3(1.0)@18/02/17): Basepack of plugins for gstreamer
[I] media-libs/gst-plugins-good (0.10.31-r2(0.10)@22/10/16 1.10.3(1.0)@18/02/17): Basepack of plugins for GStreamer
[I] media-libs/gst-plugins-ugly (0.10.19-r1(0.10)@30/03/15 1.10.3(1.0)@18/02/17): Basepack of plugins for gstreamer



glsa-check reports the following
Code:
$ glsa-check -p 201705-10
Checking GLSA 201705-10
>>> No upgrade path exists for these packages:
     media-libs/gst-plugins-ugly-0.10.19-r1, media-libs/gst-plugins-bad-0.10.23-r4, media-libs/gst-plugins-base-0.10.36-r2, media-libs/gst-plugins-good-0.10.31-r2
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2206
Location: Germany

PostPosted: Mon May 22, 2017 2:21 pm    Post subject: Re: GLSA 201705-10, gst-plugins-*:0.10 and glsa-check Reply with quote

wpettersson wrote:
So I noticed GLSA 201705-10 (https://security.gentoo.org/glsa/201705-10) pop up recently. It affects <gst-plugins-{good,bad,base,ugly}-1.10.3. I have version 1.10.3 installed for all these, but as these plugins are slotted I also have 0.10.* versions of them installed. I've checked the bug reports, but it's not clear. Does this bug affect the 0.10 slotted versions of gstreamer? If not, is the GLSA not clear on this, or is glsa-check not correctly identifying the correct vulnerability?


Hi wpettersson,

i am not sure which packages need the slotted gstreamer 0.10 Versions. The 1.10.3 Versions is uneffected. Gstreamer codecs are a security hell for sure. The best you can do is to get rid of codecs which you don't need. Its like stagefright on android phones or the adobe flash.
Back to top
View user's profile Send private message
wpettersson
n00b
n00b


Joined: 04 Jun 2014
Posts: 14

PostPosted: Mon May 22, 2017 11:24 pm    Post subject: Re: GLSA 201705-10, gst-plugins-*:0.10 and glsa-check Reply with quote

[quote="ChrisJumper"]
wpettersson wrote:
i am not sure which packages need the slotted gstreamer 0.10 Versions.


wxGTK needs the slotted 0.10, as does qtwebkit:4. These, in turn, are required by apps like Skype, rstudio, gnuplot, audacity etc. These are all still in the portage tree, and still mostly marked stable (skype being keyworded is the exception). Sure, removing Skype and Audacious and rstudio would then let me remove gstreamer 0.10. If gstreamer 0.10 truly is deprecated, it will get removed from the portage tree, but we're a long way from that precisely because many apps still depend on it.

So gstreamer:0.10 is still in the tree, and I'm still not sure whether this GLSA affects it.
Back to top
View user's profile Send private message
ChrisJumper
Advocate
Advocate


Joined: 12 Mar 2005
Posts: 2206
Location: Germany

PostPosted: Thu May 25, 2017 8:39 pm    Post subject: Reply with quote

Oh you are right, if 0.1 and 1.10 are different slots... oh wait.

scarybeastsecurity blog wrote that the older gstreamer-0.10 is affected.
But if i try the exploit it did not work for me. The Blog say that the avi file should crash tracker on Gnome.

Got no issues here. GLSA is still complaining about the Lag of updates for 0.10 Packages. Maybe its just a bug or they need time to update.

Edit: I just had some older packages that use these library's. So i just removed them. Others like
Code:
x11-libs/wxGTK-2.8.12.1-r1 (gstreamer ? media-libs/gst-plugins-base:0.10)
did not really need that on my system, because i have not set the gstreamer useflag, so i removed the gst-plugins and gstreamer 0.10 Packages without issues.

I checked it with equery d =media-libs/gst-plugins-base-0.10.36-r2 and copy the lines with the request for gstreamer 0.10 Packages. Then take a look how old is the package and thought about if you need it. I found a package that was installed but no longer in portage. :D
Back to top
View user's profile Send private message
Leio
Developer
Developer


Joined: 27 Feb 2003
Posts: 480
Location: Estonia

PostPosted: Thu Jun 01, 2017 10:44 pm    Post subject: Reply with quote

wxGTK can be bumped to new version to use gstreamer 1.x instead (or patched before that), but I have been too busy to get to that, sorry. However likely your wxGTK consumers don't actually need wxMediaCtrl (that is enabled by this USE=gstreamer) and you could per-package disable gstreamer on wxGTK for now. I suggest doing that only for wxGTK:3.0, as when things start migrating more to wxGTK:3.0-gtk3 I'll have it fixed up to use gst 1.0 by then, so you don't need to worry about putting it back. Of course you can make it also with slot unspecified if you know to not need wxMediaCtrl by anything. I don't suggest messing with global gstreamer USE choice in make.conf for that purpose, however, but per-package in /etc/portage/package.use

skype needing qtwebkit is in a similar position. It might need the (also known security vulnerable) qtwebkit:4, but not qtwebkit:4[gstreamer], so could per-package disable USE=gstreamer on that as well. As qtwebkit:4 has hundreds of known vulnerabilities, might want to consider alternatives though. The official new thing is skypeforlinux. I use pidgin-skypeweb for text chat and android when needing to talk (I prefer it anyways due to hands-free paired to that), or skypeforlinux on desktop only if really needed as it's a really nice memory and CPU sink.

An old report of what still might need fixing to not use security vulnerable gst 0.10 is at https://github.com/gentoo/gentoo/pull/3321 - but gnome 3.24, wxGTK bump, gstreamer 1.12 and so on take priority for me, so I haven't even managed to file bugs against all the still affected packages still even.

And yes, gstreamer:0.10, gst-plugins-base:0.10 and so on are known security vulnerable (as much as you call crashes security vulnerabilities, which seems the thing to do these days...), just maybe not that particular one as I did simply disable some vulnerable plugins in 0.10 before in revbump, but soon after more vulnerability reports flew in, which would have required backporting (they were in things like the mp4 demuxer...), so I gave up, which was the reasonable thing to do with it not being maintained upstream for years.

As for claims of gstreamer being a security hell, I would say quite the opposite. GStreamer actually got security auditing now, with all found issues promptly fixed. So that's good for security, compared to the many things that just aren't audited at all (which includes gstreamer 0.10) and as such don't get any fuss about it.
Since tracker version 1.10.5 (and before upstream, we skipped some releases) there is also seccomp based sandboxing to guard against that stuff, as long as you don't avoid it by disabling default enabled USE=seccomp there and not having libseccomp installed during tracker compile.
_________________
GNOME team lead; GStreamer; MIPS/ARM64
Back to top
View user's profile Send private message
wpettersson
n00b
n00b


Joined: 04 Jun 2014
Posts: 14

PostPosted: Fri Jun 02, 2017 3:06 am    Post subject: Reply with quote

Thanks for that informative post, it's helped me work through this. I did decided to go ahead and just remove skype (and qtwebkit:4) and also remove gstreamer from wxGTK and after removing unwanted packages I could also remove gst-plugins:0.10.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum