subject:"Re\: \[gentoo\-user\] Re\: Difficulty fixing GLSA 201512\-07 \(gstreamer\-0.10\)"

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-12 Thread Grant

>> >> > AFAICT, details of the gstreamer bug itself haven't been made
>> >> > public yet, and nobody is sure whether the unmaintained 0.10
>> >> > branch needs a patch.  See
>> >> >  and the
>> >> > following comment.
>> >>
>> >> So everyone is just living with the supposed security
>> >> vulnerability on their system?
>> >
>> >Not everyone.  SUSE and Debian seem to have patches for this for
>> >0.10.
>> >
>> >
>> >
>> >
>>
>> https://build.opensuse.org/package/view_file/multimedia:libs/gstreamer-0_10-plugins-bad/gstreamer-0_10-plugins-bad-mp4-overflow.patch?expand=1
>
> The bug is fixed -- that patch is applied in gst-plugins-bad-0.10.23-r3.


Should we expect the glsa-check reported vulnerability to go away?

- Grant

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-07 Thread David Haller

Hello,

On Wed, 06 Jan 2016, »Q« wrote:
>On Tue, 5 Jan 2016 08:26:42 -0800
>Grant  wrote:
>
>> > AFAICT, details of the gstreamer bug itself haven't been made public
>> > yet, and nobody is sure whether the unmaintained 0.10 branch needs a
>> > patch.  See  and
>> > the following comment.   
>> 
>> So everyone is just living with the supposed security vulnerability on
>> their system?
>   
>Not everyone.  SUSE and Debian seem to have patches for this for 0.10.
>
>
>
>

https://build.opensuse.org/package/view_file/multimedia:libs/gstreamer-0_10-plugins-bad/gstreamer-0_10-plugins-bad-mp4-overflow.patch?expand=1

I've not found other patches for 0.10 there[1].

gstreamer-1.x is at 1.61 there, so no patch.

HTH,
-dnh

[1] https://build.opensuse.org/project/show/multimedia:libs and filter
for gstr

-- 
Funny thing is, I once left ASR for about a year, and the thread entitled
"sex and the single sysadmin" was _still_ going strong when I returned.
It was like I never left.  Warm fuzzies.   -- AJR

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-06 Thread Grant

>> So everyone is just living with the supposed security vulnerability on
>> their system?
>
> It's not clear whether the vulnerability applies to 0.10 or not. I played
> safe and uninstalled the only program depending on the 0.0 slot and then
> depcleaned.


OK so that's where the GLSA bug comes in?  It reports a vulnerability
that may not be accurate?

Should we just wait for clarification of the vulnerability and a
subsequent update to glsa-check's data feed?

- Grant

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-06 Thread Mick

On Wednesday 06 Jan 2016 12:27:30 »Q« wrote:
> On Tue, 5 Jan 2016 08:26:42 -0800
> 
> Grant  wrote:
> > > AFAICT, details of the gstreamer bug itself haven't been made public
> > > yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> > > patch.  See  and
> > > the following comment.
> > 
> > So everyone is just living with the supposed security vulnerability on
> > their system?
> 
> Not everyone.  SUSE and Debian seem to have patches for this for 0.10.
> 
> 
> 
> 

I tried removing 0.10.36-r2, but stopped, because some applications (Opera, 
Pidgin, farstream) currently require it.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread Grant

>> >> GLSA 201512-07 requires that I remove gstreamer-0.10 but I'm
>> >> finding it rather inextricable due to dependencies.  Has anyone
>> >> else run into this problem?
>> >
>> > I think this is another case of glsa-check not handling slots
>> > correctly.
>>
>> I believe it handles ranges fine, but it seems that we occasionally
>> have GLSAs that don't correctly specify ranges.  You can log a bug
>> against it.
>
> AFAICT, details of the gstreamer bug itself haven't been made public
> yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> patch.  See  and
> the following comment.


So everyone is just living with the supposed security vulnerability on
their system?

- Grant

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread waltdnes

On Tue, Jan 05, 2016 at 06:36:06AM -0600, »Q« wrote

> I couldn't follow everything in the bug linked from c12;  I've been
> using Firefox latest with gstreamer-1.0 for a while without problems,
> but maybe that's because I don't use libav.
> 
> This probably won't affect Pale Moon at all, but Mozilla has gotten rid
> of gstreamer support in Firefox (not yet in released versions):
> 

  When I go to https://www.youtube.com/html5 it shows that my browser
(i.e. Pale Moon) supports HTMLVideoElement, H.264, and WebM VP8.  What
will removal of Gstreamer support from Firefox do?

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread Neil Bothwick

On Tue, 5 Jan 2016 08:26:42 -0800, Grant wrote:

> So everyone is just living with the supposed security vulnerability on
> their system?

It's not clear whether the vulnerability applies to 0.10 or not. I played
safe and uninstalled the only program depending on the 0.0 slot and then
depcleaned.

-- 
Neil Bothwick

God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

pgpP0TFyNOUum.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread Alan McKinnon

On 05/01/2016 20:43, waltd...@waltdnes.org wrote:
> On Tue, Jan 05, 2016 at 06:36:06AM -0600, »Q« wrote
> 
>> I couldn't follow everything in the bug linked from c12;  I've been
>> using Firefox latest with gstreamer-1.0 for a while without problems,
>> but maybe that's because I don't use libav.
>>
>> This probably won't affect Pale Moon at all, but Mozilla has gotten rid
>> of gstreamer support in Firefox (not yet in released versions):
>> 
> 
>   When I go to https://www.youtube.com/html5 it shows that my browser
> (i.e. Pale Moon) supports HTMLVideoElement, H.264, and WebM VP8.  What
> will removal of Gstreamer support from Firefox do?
> 

it will use something other than gstreamer to play content.

According to the mozilla bug quoted above, gstreamer was removed from
firefox as everything that used it was gone

-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-04 Thread waltdnes

On Mon, Jan 04, 2016 at 11:20:57AM -0600, »Q« wrote

> AFAICT, details of the gstreamer bug itself haven't been made public
> yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> patch.  See  and
> the following comment.

  As pointed out in comment 12 of that bug, 1.x broke the 0.10.x ABI/API
and causes problems on Firefox.  I use Pale Moon, a Firefox fork, and it
too will only build with gstreamer 0.10.x.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

9 matches

Site Navigation

Mail list logo

Footer information