Bug#847417: depends on gstreamer-plugins-bad, which is an ongoing source of security holes
Laurent Bigonville
bigon at debian.org
Sat Dec 10 05:16:50 UTC 2016
Le 09/12/16 à 23:08, Michael Biebl a écrit :
> Hi Joey
Hi,
>
> Am 08.12.2016 um 03:01 schrieb Joey Hess:
>> Package: gnome-video-effects
>> Version: 0.4.1-3
>> Severity: normal
>>
>> gstreamer-plugins-bad has been in the news at least twice recently for
>> security holes.
>>
>> http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
>> https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-risky-design-decisions-in.html
>>
>> It seems likely that it will continue to be a source of such security
>> holes.
> This doesn't immediately address your concern, but I just uploaded
> tracker including this change:
>
> "tracker-extract: Sandbox extractor threads. Filesystem and network
> access are limited to being read and local only."
>
>
>> I wanted to remove gstreamer-plugins-bad from my system, but this would
>> remove gnome-video-effects, which would remove cheese. I don't know why
>> cheese needs a ton of insecurely implemented codecs for playing Nintendo
>> games etc in order to take snapshots and record videos. Probably it doesn't?
> gnome-video-effects is just one of many others depending on
> gstreamer-plugins-bad, and I guess we have to check each and every one
> of them.
>
> Laurent, this dependency was originally added by you. Do you remember
> the details and why this needs to be a hard dependency? The only real
> dependency of gnome-video-effects is cheese, would some of the cheese
> features not work if gstreamer-plugins-bad was not installed?
I think cheese was not starting at all if there were no effects
installed. I quickly tested again now and cheese seems to be OK if the
gnome-video-effects package is not installed. So we could lower the
dependency to a recommends.
BUT that will not solve the problem at all as cheese itself needs the
camerabin plugin from gstreamer1.0-plugins-bad (libcheese8 depends on
it). libcheese8 is used by cheese but also gnome-control-center,
gnome-contacts, gnome-initial-setup (and also indirectly by empathy). I
personally don't want to disable cheese support in all these components.
gstreamer1.0-plugins-bad is actually containing other plugins that looks
useful to me (or might be useful in the future like the waylandsink) and
not only "codecs for playing Nintendo games".
In ubuntu they are splitting more the package (same for the
gnome-video-effects package actually) and are also moving at build time
some of the plugins to gstreamer1.0-plugins-good. Following what ubuntu
is doing might be an idea but it will require more work from the
gstreamer maintainer I guess (I'm adding them in the loop) and we might
be a bit late in the development cycle to do that now.
my 2¢
More information about the pkg-gstreamer-maintainers
mailing list