On Thu, 7 Jan 2016 23:45:38 +0100 David Haller <gen...@dhaller.de> wrote:
> On Wed, 06 Jan 2016, »Q« wrote: > >On Tue, 5 Jan 2016 08:26:42 -0800 > >Grant <emailgr...@gmail.com> wrote: > > > >> > AFAICT, details of the gstreamer bug itself haven't been made > >> > public yet, and nobody is sure whether the unmaintained 0.10 > >> > branch needs a patch. See > >> > <https://bugs.gentoo.org/show_bug.cgi?id=553742#c11> and the > >> > following comment. > >> > >> So everyone is just living with the supposed security > >> vulnerability on their system? > > > >Not everyone. SUSE and Debian seem to have patches for this for > >0.10. > > > ><https://www.suse.com/security/cve/CVE-2015-0797.html> > > > ><https://www.debian.org/security/2015/dsa-3225> > > https://build.opensuse.org/package/view_file/multimedia:libs/gstreamer-0_10-plugins-bad/gstreamer-0_10-plugins-bad-mp4-overflow.patch?expand=1 The bug is fixed -- that patch is applied in gst-plugins-bad-0.10.23-r3. I understand there's effectively no longer an upstream for 0.10, but still it's disconcerting that a patch made it from Mozilla to Debian and SUSE (and who knows who else) months ago without other distros finding out about it. Maybe that's why access to Mozilla's bug entry is still restricted. I guess there's nothing to do but for us be vigilant until eventually all the things that depend on 0.10 are gone and we no longer need it.