Bug#847417: depends on gstreamer-plugins-bad, which is an ongoing source of security holes

Michael Biebl biebl at debian.org
Fri Dec 9 22:08:01 UTC 2016

Hi Joey

Am 08.12.2016 um 03:01 schrieb Joey Hess:
> Package: gnome-video-effects
> Version: 0.4.1-3
> Severity: normal
> gstreamer-plugins-bad has been in the news at least twice recently for
> security holes. 
> http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
> https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-risky-design-decisions-in.html
> It seems likely that it will continue to be a source of such security
> holes.

This doesn't immediately address your concern, but I just uploaded
tracker including this change:

"tracker-extract: Sandbox extractor threads. Filesystem and network
 access are limited to being read and local only."

> I wanted to remove gstreamer-plugins-bad from my system, but this would
> remove gnome-video-effects, which would remove cheese. I don't know why
> cheese needs a ton of insecurely implemented codecs for playing Nintendo
> games etc in order to take snapshots and record videos. Probably it doesn't?

gnome-video-effects is just one of many others depending on
gstreamer-plugins-bad, and I guess we have to check each and every one
of them.

Laurent, this dependency was originally added by you. Do you remember
the details and why this needs to be a hard dependency? The only real
dependency of gnome-video-effects is cheese, would some of the cheese
features not work if gstreamer-plugins-bad was not installed?


Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20161209/69a007a2/attachment.sig>

More information about the pkg-gnome-maintainers mailing list