# GLSA 201705-10, gst-plugins-*:0.10 and glsa-check

## wpettersson

So I noticed GLSA 201705-10 (https://security.gentoo.org/glsa/201705-10) pop up recently. It affects <gst-plugins-{good,bad,base,ugly}-1.10.3. I have version 1.10.3 installed for all these, but as these plugins are slotted I also have 0.10.* versions of them installed. I've checked the bug reports, but it's not clear. Does this bug affect the 0.10 slotted versions of gstreamer? If not, is the GLSA not clear on this, or is glsa-check not correctly identifying the correct vulnerability?

Installed plugins on my system

```
$ eix -Ic gst-plugins-                  

[I] media-libs/gst-plugins-bad (0.10.23-r4(0.10)@25/11/16 1.10.3(1.0)@18/02/17): Less plugins for GStreamer

[I] media-libs/gst-plugins-base (0.10.36-r2(0.10)@30/03/15 1.10.3(1.0)@18/02/17): Basepack of plugins for gstreamer

[I] media-libs/gst-plugins-good (0.10.31-r2(0.10)@22/10/16 1.10.3(1.0)@18/02/17): Basepack of plugins for GStreamer

[I] media-libs/gst-plugins-ugly (0.10.19-r1(0.10)@30/03/15 1.10.3(1.0)@18/02/17): Basepack of plugins for gstreamer
```

glsa-check reports the following

```
$ glsa-check -p 201705-10

Checking GLSA 201705-10

>>> No upgrade path exists for these packages:

     media-libs/gst-plugins-ugly-0.10.19-r1, media-libs/gst-plugins-bad-0.10.23-r4, media-libs/gst-plugins-base-0.10.36-r2, media-libs/gst-plugins-good-0.10.31-r2
```

----------

## ChrisJumper

 *wpettersson wrote:*   

> So I noticed GLSA 201705-10 (https://security.gentoo.org/glsa/201705-10) pop up recently. It affects <gst-plugins-{good,bad,base,ugly}-1.10.3. I have version 1.10.3 installed for all these, but as these plugins are slotted I also have 0.10.* versions of them installed. I've checked the bug reports, but it's not clear. Does this bug affect the 0.10 slotted versions of gstreamer? If not, is the GLSA not clear on this, or is glsa-check not correctly identifying the correct vulnerability?
> 
> 

 

Hi wpettersson,

i am not sure which packages need the slotted gstreamer 0.10 Versions. The 1.10.3 Versions is uneffected.  Gstreamer codecs are a security hell for sure. The best you can do is to get rid of codecs which you don't need. Its like stagefright on android phones or the adobe flash.

----------

## wpettersson

[quote="ChrisJumper"] *wpettersson wrote:*   

> i am not sure which packages need the slotted gstreamer 0.10 Versions.

 

wxGTK needs the slotted 0.10, as does qtwebkit:4. These, in turn, are required by apps like Skype, rstudio, gnuplot, audacity etc. These are all still in the portage tree, and still mostly marked stable (skype being keyworded is the exception). Sure, removing Skype and Audacious and rstudio would then let me remove gstreamer 0.10. If gstreamer 0.10 truly is deprecated, it will get removed from the portage tree, but we're a long way from that precisely because many apps still depend on it.

So gstreamer:0.10 is still in the tree, and I'm still not sure whether this GLSA affects it.

----------

## ChrisJumper

Oh you are right, if 0.1 and 1.10 are different slots... oh wait.

scarybeastsecurity blog wrote that the older gstreamer-0.10 is affected.

But if i try the exploit it did not work for me. The Blog say that the avi file should crash tracker on Gnome.

Got no issues here. GLSA is still complaining about the Lag of updates for 0.10 Packages. Maybe its just a bug or they need time to update.

Edit: I just had some older packages that use these library's. So i just removed them. Others like 

```
x11-libs/wxGTK-2.8.12.1-r1 (gstreamer ? media-libs/gst-plugins-base:0.10)
```

 did not really need that on my system, because i have not set the gstreamer useflag, so i removed the gst-plugins and gstreamer 0.10 Packages without issues.

I checked it with equery d =media-libs/gst-plugins-base-0.10.36-r2 and copy the lines with the request for gstreamer 0.10 Packages. Then take a look how old is the package and thought about if you need it. I found a package that was installed but no longer in portage. :D

----------

## Leio

wxGTK can be bumped to new version to use gstreamer 1.x instead (or patched before that), but I have been too busy to get to that, sorry. However likely your wxGTK consumers don't actually need wxMediaCtrl (that is enabled by this USE=gstreamer) and you could per-package disable gstreamer on wxGTK for now. I suggest doing that only for wxGTK:3.0, as when things start migrating more to wxGTK:3.0-gtk3 I'll have it fixed up to use gst 1.0 by then, so you don't need to worry about putting it back. Of course you can make it also with slot unspecified if you know to not need wxMediaCtrl by anything. I don't suggest messing with global gstreamer USE choice in make.conf for that purpose, however, but per-package in /etc/portage/package.use

skype needing qtwebkit is in a similar position. It might need the (also known security vulnerable) qtwebkit:4, but not qtwebkit:4[gstreamer], so could per-package disable USE=gstreamer on that as well. As qtwebkit:4 has hundreds of known vulnerabilities, might want to consider alternatives though. The official new thing is skypeforlinux. I use pidgin-skypeweb for text chat and android when needing to talk (I prefer it anyways due to hands-free paired to that), or skypeforlinux on desktop only if really needed as it's a really nice memory and CPU sink.

An old report of what still might need fixing to not use security vulnerable gst 0.10 is at https://github.com/gentoo/gentoo/pull/3321 - but gnome 3.24, wxGTK bump, gstreamer 1.12 and so on take priority for me, so I haven't even managed to file bugs against all the still affected packages still even.

And yes, gstreamer:0.10, gst-plugins-base:0.10 and so on are known security vulnerable (as much as you call crashes security vulnerabilities, which seems the thing to do these days...), just maybe not that particular one as I did simply disable some vulnerable plugins in 0.10 before in revbump, but soon after more vulnerability reports flew in, which would have required backporting (they were in things like the mp4 demuxer...), so I gave up, which was the reasonable thing to do with it not being maintained upstream for years.

As for claims of gstreamer being a security hell, I would say quite the opposite. GStreamer actually got security auditing now, with all found issues promptly fixed. So that's good for security, compared to the many things that just aren't audited at all (which includes gstreamer 0.10) and as such don't get any fuss about it.

Since tracker version 1.10.5 (and before upstream, we skipped some releases) there is also seccomp based sandboxing to guard against that stuff, as long as you don't avoid it by disabling default enabled USE=seccomp there and not having libseccomp installed during tracker compile.

----------

## wpettersson

Thanks for that informative post, it's helped me work through this. I did decided to go ahead and just remove skype (and qtwebkit:4) and also remove gstreamer from wxGTK and after removing unwanted packages I could also remove gst-plugins:0.10.

----------

