Mageia alert MGASA-2017-0348 (gstreamer0.10-plugins-good, gstreamer1.0-plugins-good) [LWN.net]

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2017-0348: Updated gstreamer0.10-plugins-good and gstreamer1.0-plugins-good packages fix security vulnerabilities 
Date:
    	       Thu, 21 Sep 2017 15:44:09 +0200
Message-ID:
    	       <20170921134409.B7DC99F88E@duvel.mageia.org>
MGASA-2017-0348 - Updated gstreamer0.10-plugins-good and gstreamer1.0-plugins-good packages fix
security vulnerabilities

Publication date: 21 Sep 2017
URL: https://advisories.mageia.org/MGASA-2017-0348.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-10198,
     CVE-2016-10199,
     CVE-2017-5840,
     CVE-2017-5841,
     CVE-2017-5845

Description:
A crafted AAC audio file could have caused an invalid read and thus
corruption or denial of service (CVE-2016-10198).

A crafted mp4 file could have caused an invalid read and thus corruption
or denial of service (CVE-2016-10199).

A crafted AVI file could have caused an invalid read and thus corruption
or denial of service (CVE-2017-5840).

A crafted AVI file with metadata tag entries (ncdt) could have caused
invalid read access and thus corruption or denial of service
(CVE-2017-5841).

A crafted AVI file could have caused an invalid read access resulting in
denial of service (CVE-2017-5845).

Note that GStreamer 0.10 was only affected by CVE-2016-10198 and
CVE-2017-5840.

References:
- https://bugs.mageia.org/show_bug.cgi?id=20237
- http://openwall.com/lists/oss-security/2017/02/02/9
- https://lists.opensuse.org/opensuse-updates/2017-04/msg00...
- https://lwn.net/Alerts/714997/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5840
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5841
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5845

SRPMS:
- 5/core/gstreamer0.10-plugins-good-0.10.31-9.2.mga5
- 5/core/gstreamer1.0-plugins-good-1.4.3-2.2.mga5

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2017-0348: Updated gstreamer0.10-plugins-good and gstreamer1.0-plugins-good packages fix security vulnerabilities
Date:		Thu, 21 Sep 2017 15:44:09 +0200
Message-ID:		<20170921134409.B7DC99F88E@duvel.mageia.org>