Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2093 Security update for gstreamer-plugins-bad 11 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gstreamer-plugins-bad Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-3185 Reference: ESB-2021.2064 ESB-2021.1979 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20211944-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for gstreamer-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1944-1 Rating: important References: #1181255 Cross-References: CVE-2021-3185 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gstreamer-plugins-bad fixes the following issues: o Update to version 1.16.3: - CVE-2021-3185: buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking() (bsc#1181255) - amcvideodec: fix sync meta copying not taking a reference - audiobuffersplit: Perform discont tracking on running time - audiobuffersplit: Specify in the template caps that only interleaved audio is supported - audiobuffersplit: Unset DISCONT flag if not discontinuous - autoconvert: Fix lock-less exchange or free condition - autoconvert: fix compiler warnings with g_atomic on recent GLib versions - avfvideosrc: element requests camera permissions even with capture-screen property is true - codecparsers: h264parser: guard against ref_pic_markings overflow - dtlsconnection: Avoid segmentation fault when no srtp capabilities are negotiated - dtls/ connection: fix EOF handling with openssl 1.1.1e - fdkaacdec: add support for mpegversion=2 - hls: Check nettle version to ensure AES128 support - ipcpipeline: Rework compiler checks - interlace: Increment phase_index before checking if we're at the end of the phase - h264parser: Do not allocate too large size of memory for registered user data SEI - ladspa: fix unbounded integer properties - modplug: avoid division by zero - msdkdec: Fix GstMsdkContext leak - msdkenc: fix leaks on windows - musepackdec: Don't fail all queries if no sample rate is known yet - openslessink: Allow openslessink to handle 48kHz streams. - opencv: allow compilation against 4.2.x - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc - vulkan: Drop use of VK_RESULT_BEGIN_RANGE - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset - wasapi: Fix possible deadlock while downwards state change - waylandsink: Clear window when pipeline is stopped - webrtc: Support non-trickle ICE candidates in the SDP - webrtc: Unmap all non-binary buffers received via the datachannel Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1944=1 o SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1944=1 Package List: o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-1.16.3-9.3.1 gstreamer-plugins-bad-chromaprint-1.16.3-9.3.1 gstreamer-plugins-bad-chromaprint-debuginfo-1.16.3-9.3.1 gstreamer-plugins-bad-debuginfo-1.16.3-9.3.1 gstreamer-plugins-bad-debugsource-1.16.3-9.3.1 gstreamer-plugins-bad-devel-1.16.3-9.3.1 libgstadaptivedemux-1_0-0-1.16.3-9.3.1 libgstadaptivedemux-1_0-0-debuginfo-1.16.3-9.3.1 libgstbadaudio-1_0-0-1.16.3-9.3.1 libgstbadaudio-1_0-0-debuginfo-1.16.3-9.3.1 libgstbasecamerabinsrc-1_0-0-1.16.3-9.3.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.16.3-9.3.1 libgstcodecparsers-1_0-0-1.16.3-9.3.1 libgstcodecparsers-1_0-0-debuginfo-1.16.3-9.3.1 libgstinsertbin-1_0-0-1.16.3-9.3.1 libgstinsertbin-1_0-0-debuginfo-1.16.3-9.3.1 libgstisoff-1_0-0-1.16.3-9.3.1 libgstisoff-1_0-0-debuginfo-1.16.3-9.3.1 libgstmpegts-1_0-0-1.16.3-9.3.1 libgstmpegts-1_0-0-debuginfo-1.16.3-9.3.1 libgstplayer-1_0-0-1.16.3-9.3.1 libgstplayer-1_0-0-debuginfo-1.16.3-9.3.1 libgstsctp-1_0-0-1.16.3-9.3.1 libgstsctp-1_0-0-debuginfo-1.16.3-9.3.1 libgsturidownloader-1_0-0-1.16.3-9.3.1 libgsturidownloader-1_0-0-debuginfo-1.16.3-9.3.1 libgstwayland-1_0-0-1.16.3-9.3.1 libgstwayland-1_0-0-debuginfo-1.16.3-9.3.1 libgstwebrtc-1_0-0-1.16.3-9.3.1 libgstwebrtc-1_0-0-debuginfo-1.16.3-9.3.1 typelib-1_0-GstInsertBin-1_0-1.16.3-9.3.1 typelib-1_0-GstMpegts-1_0-1.16.3-9.3.1 typelib-1_0-GstPlayer-1_0-1.16.3-9.3.1 typelib-1_0-GstWebRTC-1_0-1.16.3-9.3.1 o SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (noarch): gstreamer-plugins-bad-lang-1.16.3-9.3.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-debuginfo-1.16.3-9.3.1 gstreamer-plugins-bad-debugsource-1.16.3-9.3.1 libgstphotography-1_0-0-1.16.3-9.3.1 libgstphotography-1_0-0-debuginfo-1.16.3-9.3.1 References: o https://www.suse.com/security/cve/CVE-2021-3185.html o https://bugzilla.suse.com/1181255 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYMK0TeNLKJtyKPYoAQjZqw/9HTPWnvWW5a4Nlj0JA10OpviYdh05S94e V67seDbh8cTt1wf2AoJS/z6lO2erO9aXkc5YVUHUVezhjso8DM/eLvkwKnn+txwo 4tR+NuqsKGZa3ceg5pgh1on9A6CcVGAl2wVOXyYWWmefiHiLm0X8vkMgJhQ1RsWY V6f3rrB4Tltmfqn1zSAP9/3LsWReD7vsU7x8ksCz7cOmONcg0f6/2DZ2aCRKXzS0 NayrHs2IVOYVa0O+SZAhJqCWhtpiG/WOontp9kHqorf45q7iy0e1Sbbm5CjK7FNx M0Ux2dqY5GCDD8Dp6Xgxc/RK3Sbz234K57YGz/F3DeYY4KF93SY0H0HjwgicOSux GbA3n+0Zny1rjaqzs4RWFMdm4doWfRhK7iSySBfoLhkL8ItEASffGmW1YLfN+sEH cFPBEQKZ+lH+cUYH2bf3UnBtJjiu1L2hC59q4UYZHL7RwkVs+T2h0oFmxRwu6eKa LV5QS26G99YY71NrCk6j63nyQPJrjJwPKXEWgrT120+qjX/EHdfkGA1JMeDAMGFG Gk0tHAQ0mR1ZzU3sd51cEqetiDNwPfv+ejdunSW0ddJOsGwWgO68RuVUK7oCU6jR W3bweDMMNDgplDhn73RbC++5T4y65y040pAZ1BAkx2689ZOA32aiGqFyIcL4uGvk fzQzoYKMewM= =4LqF -----END PGP SIGNATURE-----