Bug#847417: depends on gstreamer-plugins-bad, which is an ongoing source of security holes
Michael Biebl
biebl at debian.org
Fri Dec 9 22:08:01 UTC 2016
Hi Joey
Am 08.12.2016 um 03:01 schrieb Joey Hess:
> Package: gnome-video-effects
> Version: 0.4.1-3
> Severity: normal
>
> gstreamer-plugins-bad has been in the news at least twice recently for
> security holes.
>
> http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
> https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-risky-design-decisions-in.html
>
> It seems likely that it will continue to be a source of such security
> holes.
This doesn't immediately address your concern, but I just uploaded
tracker including this change:
"tracker-extract: Sandbox extractor threads. Filesystem and network
access are limited to being read and local only."
> I wanted to remove gstreamer-plugins-bad from my system, but this would
> remove gnome-video-effects, which would remove cheese. I don't know why
> cheese needs a ton of insecurely implemented codecs for playing Nintendo
> games etc in order to take snapshots and record videos. Probably it doesn't?
gnome-video-effects is just one of many others depending on
gstreamer-plugins-bad, and I guess we have to check each and every one
of them.
Laurent, this dependency was originally added by you. Do you remember
the details and why this needs to be a hard dependency? The only real
dependency of gnome-video-effects is cheese, would some of the cheese
features not work if gstreamer-plugins-bad was not installed?
Michael
[1]
https://anonscm.debian.org/cgit/collab-maint/tracker.git/commit/?id=0ac99d4d549e35d87f23534d52bcba6d23893ffa
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20161209/69a007a2/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list