Request to help track down certain security patches and help understand the how-to for importing them to older Gst versions

Unnikrishnan Sreekumar unnikrishnankgs at gmail.com
Thu Apr 21 05:12:24 UTC 2022


Thank you Nirbheek for the details!
This is very helpful.

Cheers
Unnikrishnan

On Sat, Apr 16, 2022 at 11:52 AM Nirbheek Chauhan <
nirbheek.chauhan at gmail.com> wrote:

> On Fri, Apr 15, 2022 at 5:15 AM Unnikrishnan Sreekumar via
> gstreamer-devel <gstreamer-devel at lists.freedesktop.org> wrote:
> > I am looking for help with certain security vulnerabilities in GStreamer
> and these are my questions:
> >
> >
> > Questions:
> >
> > 1) Can GStreamer support importing the fixes for CVEs in (3) and (4)
> below - for older releases?
> >
> > If so, how?
> >
>
> All these were already backported into 1.14, 1.16, 1.18 (as
> applicable). So you just need to use the latest versions of each of
> those stable series.
>
> >
> > 2) Could you share details (like commit hashes) about these patches, and
> any instructions/tips on how to cherry-pick patches to older GStreamer
> releases - for (3) and (4)?
> >
> >
> > 3) Will the security fixes that went in for mkv parser vulnerabilities
> in Gst 1.18.4 be cherry-picked to earlier releases like Gst 1.16.2 ?
> >
> > Specifically for CVEs: CVE-2021-3498 , CVE-2021-3497
> >
>
> The MR says this was already backported into 1.16 and 1.14:
>
>
> https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/902
>
> This is the 1.14 backport MR:
>
>
> https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/905
>
> And this is for 1.16:
>
>
> https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/904
>
> > 4) Will the security fixes that went in for rtsp connection parser
> vulnerability in Gst 1.16.0 be cherry-picked to earlier releases like Gst
> 1.14.5 ?
> >
> > CVE: CVE-2019-9928
> >
>
> According to the merge request:
>
> https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/157
>
> This was already cherry-picked into 1.14.5. See the git history:
> https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commits/1.14/
>
> And it was fixed during the 1.15 development cycle, so the 1.16.x
> stable series is not affected.
>
> Cheers,
> Nirbheek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/gstreamer-devel/attachments/20220420/4758b205/attachment.htm>


More information about the gstreamer-devel mailing list