subject:"\[gentoo\-user\] Re\: Difficulty fixing GLSA 201512\-07 \(gstreamer\-0.10\)"

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-12 Thread Grant

>> >> > AFAICT, details of the gstreamer bug itself haven't been made
>> >> > public yet, and nobody is sure whether the unmaintained 0.10
>> >> > branch needs a patch.  See
>> >> >  and the
>> >> > following comment.
>> >>
>> >> So everyone is just living with the supposed security
>> >> vulnerability on their system?
>> >
>> >Not everyone.  SUSE and Debian seem to have patches for this for
>> >0.10.
>> >
>> >
>> >
>> >
>>
>> https://build.opensuse.org/package/view_file/multimedia:libs/gstreamer-0_10-plugins-bad/gstreamer-0_10-plugins-bad-mp4-overflow.patch?expand=1
>
> The bug is fixed -- that patch is applied in gst-plugins-bad-0.10.23-r3.


Should we expect the glsa-check reported vulnerability to go away?

- Grant

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-11 Thread »Q«

On Thu, 7 Jan 2016 23:45:38 +0100
David Haller  wrote:

> On Wed, 06 Jan 2016, »Q« wrote:
> >On Tue, 5 Jan 2016 08:26:42 -0800
> >Grant  wrote:
> >  
> >> > AFAICT, details of the gstreamer bug itself haven't been made
> >> > public yet, and nobody is sure whether the unmaintained 0.10
> >> > branch needs a patch.  See
> >> >  and the
> >> > following comment. 
> >> 
> >> So everyone is just living with the supposed security
> >> vulnerability on their system?  
> > 
> >Not everyone.  SUSE and Debian seem to have patches for this for
> >0.10.
> >
> >
> >
> >  
> 
> https://build.opensuse.org/package/view_file/multimedia:libs/gstreamer-0_10-plugins-bad/gstreamer-0_10-plugins-bad-mp4-overflow.patch?expand=1

The bug is fixed -- that patch is applied in gst-plugins-bad-0.10.23-r3.

I understand there's effectively no longer an upstream for 0.10, but
still it's disconcerting that a patch made it from Mozilla to Debian
and SUSE (and who knows who else) months ago without other distros
finding out about it.  Maybe that's why access to Mozilla's bug entry
is still restricted.  

I guess there's nothing to do but for us be vigilant until eventually
all the things that depend on 0.10 are gone and we no longer need it.

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-07 Thread David Haller

Hello,

On Wed, 06 Jan 2016, »Q« wrote:
>On Tue, 5 Jan 2016 08:26:42 -0800
>Grant  wrote:
>
>> > AFAICT, details of the gstreamer bug itself haven't been made public
>> > yet, and nobody is sure whether the unmaintained 0.10 branch needs a
>> > patch.  See  and
>> > the following comment.   
>> 
>> So everyone is just living with the supposed security vulnerability on
>> their system?
>   
>Not everyone.  SUSE and Debian seem to have patches for this for 0.10.
>
>
>
>

https://build.opensuse.org/package/view_file/multimedia:libs/gstreamer-0_10-plugins-bad/gstreamer-0_10-plugins-bad-mp4-overflow.patch?expand=1

I've not found other patches for 0.10 there[1].

gstreamer-1.x is at 1.61 there, so no patch.

HTH,
-dnh

[1] https://build.opensuse.org/project/show/multimedia:libs and filter
for gstr

-- 
Funny thing is, I once left ASR for about a year, and the thread entitled
"sex and the single sysadmin" was _still_ going strong when I returned.
It was like I never left.  Warm fuzzies.   -- AJR

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-06 Thread Grant

>> So everyone is just living with the supposed security vulnerability on
>> their system?
>
> It's not clear whether the vulnerability applies to 0.10 or not. I played
> safe and uninstalled the only program depending on the 0.0 slot and then
> depcleaned.


OK so that's where the GLSA bug comes in?  It reports a vulnerability
that may not be accurate?

Should we just wait for clarification of the vulnerability and a
subsequent update to glsa-check's data feed?

- Grant

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-06 Thread »Q«

On Tue, 5 Jan 2016 08:26:42 -0800
Grant  wrote:

> > AFAICT, details of the gstreamer bug itself haven't been made public
> > yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> > patch.  See  and
> > the following comment.   
> 
> So everyone is just living with the supposed security vulnerability on
> their system?

Not everyone.  SUSE and Debian seem to have patches for this for 0.10.

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-06 Thread Mick

On Wednesday 06 Jan 2016 12:27:30 »Q« wrote:
> On Tue, 5 Jan 2016 08:26:42 -0800
> 
> Grant  wrote:
> > > AFAICT, details of the gstreamer bug itself haven't been made public
> > > yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> > > patch.  See  and
> > > the following comment.
> > 
> > So everyone is just living with the supposed security vulnerability on
> > their system?
> 
> Not everyone.  SUSE and Debian seem to have patches for this for 0.10.
> 
> 
> 
> 

I tried removing 0.10.36-r2, but stopped, because some applications (Opera, 
Pidgin, farstream) currently require it.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread Grant

>> >> GLSA 201512-07 requires that I remove gstreamer-0.10 but I'm
>> >> finding it rather inextricable due to dependencies.  Has anyone
>> >> else run into this problem?
>> >
>> > I think this is another case of glsa-check not handling slots
>> > correctly.
>>
>> I believe it handles ranges fine, but it seems that we occasionally
>> have GLSAs that don't correctly specify ranges.  You can log a bug
>> against it.
>
> AFAICT, details of the gstreamer bug itself haven't been made public
> yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> patch.  See  and
> the following comment.


So everyone is just living with the supposed security vulnerability on
their system?

- Grant

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread waltdnes

On Tue, Jan 05, 2016 at 06:36:06AM -0600, »Q« wrote

> I couldn't follow everything in the bug linked from c12;  I've been
> using Firefox latest with gstreamer-1.0 for a while without problems,
> but maybe that's because I don't use libav.
> 
> This probably won't affect Pale Moon at all, but Mozilla has gotten rid
> of gstreamer support in Firefox (not yet in released versions):
> 

  When I go to https://www.youtube.com/html5 it shows that my browser
(i.e. Pale Moon) supports HTMLVideoElement, H.264, and WebM VP8.  What
will removal of Gstreamer support from Firefox do?

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread Neil Bothwick

On Tue, 5 Jan 2016 08:26:42 -0800, Grant wrote:

> So everyone is just living with the supposed security vulnerability on
> their system?

It's not clear whether the vulnerability applies to 0.10 or not. I played
safe and uninstalled the only program depending on the 0.0 slot and then
depcleaned.

-- 
Neil Bothwick

God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

pgpP0TFyNOUum.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread Alan McKinnon

On 05/01/2016 20:43, waltd...@waltdnes.org wrote:
> On Tue, Jan 05, 2016 at 06:36:06AM -0600, »Q« wrote
> 
>> I couldn't follow everything in the bug linked from c12;  I've been
>> using Firefox latest with gstreamer-1.0 for a while without problems,
>> but maybe that's because I don't use libav.
>>
>> This probably won't affect Pale Moon at all, but Mozilla has gotten rid
>> of gstreamer support in Firefox (not yet in released versions):
>> 
> 
>   When I go to https://www.youtube.com/html5 it shows that my browser
> (i.e. Pale Moon) supports HTMLVideoElement, H.264, and WebM VP8.  What
> will removal of Gstreamer support from Firefox do?
> 

it will use something other than gstreamer to play content.

According to the mozilla bug quoted above, gstreamer was removed from
firefox as everything that used it was gone

-- 
Alan McKinnon
alan.mckin...@gmail.com

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-05 Thread »Q«

On Mon, 4 Jan 2016 14:09:17 -0500
waltd...@waltdnes.org wrote:

> On Mon, Jan 04, 2016 at 11:20:57AM -0600, »Q« wrote
> 
> > AFAICT, details of the gstreamer bug itself haven't been made public
> > yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> > patch.  See  and
> > the following comment.  
> 
>   As pointed out in comment 12 of that bug, 1.x broke the 0.10.x
> ABI/API and causes problems on Firefox.  I use Pale Moon, a Firefox
> fork, and it too will only build with gstreamer 0.10.x.

I couldn't follow everything in the bug linked from c12;  I've been
using Firefox latest with gstreamer-1.0 for a while without problems,
but maybe that's because I don't use libav.

This probably won't affect Pale Moon at all, but Mozilla has gotten rid
of gstreamer support in Firefox (not yet in released versions):

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-04 Thread waltdnes

On Mon, Jan 04, 2016 at 11:20:57AM -0600, »Q« wrote

> AFAICT, details of the gstreamer bug itself haven't been made public
> yet, and nobody is sure whether the unmaintained 0.10 branch needs a
> patch.  See  and
> the following comment.

  As pointed out in comment 12 of that bug, 1.x broke the 0.10.x ABI/API
and causes problems on Firefox.  I use Pale Moon, a Firefox fork, and it
too will only build with gstreamer 0.10.x.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

2016-01-04 Thread »Q«

On Sun, 3 Jan 2016 11:49:49 -0500
Rich Freeman  wrote:

> On Sun, Jan 3, 2016 at 11:28 AM, Neil Bothwick 
> wrote:
> > On Sun, 3 Jan 2016 07:52:30 -0800, Grant wrote:
> >  
> >> GLSA 201512-07 requires that I remove gstreamer-0.10 but I'm
> >> finding it rather inextricable due to dependencies.  Has anyone
> >> else run into this problem?  
> >
> > I think this is another case of glsa-check not handling slots
> > correctly. 
> 
> I believe it handles ranges fine, but it seems that we occasionally
> have GLSAs that don't correctly specify ranges.  You can log a bug
> against it.

AFAICT, details of the gstreamer bug itself haven't been made public
yet, and nobody is sure whether the unmaintained 0.10 branch needs a
patch.  See  and
the following comment.

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

Re: [gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

[gentoo-user] Re: Difficulty fixing GLSA 201512-07 (gstreamer-0.10)

13 matches

Site Navigation

Mail list logo

Footer information