Fix for CVE-2021-3185 in Ubuntu 20.10?

Asked by Johannes Rost on 2021-01-28

Will the fix for CVE-2021-3185 (https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/11353b3f6e2f047cc37483d21e6a37ae558896bc) be available for Ubuntu 20.10?

Kind regards
Johannes Rost

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu gst-plugins-bad1.0 Edit question
Assignee:
No assignee Edit question
Last query:
2021-01-29
Last reply:
2021-01-29
Bernard Stafford (bernard010) said : #1

For Diagnostic open terminal [ctl+alt+t] : lsb_release -a; uname -a; python --version
CVE-2021-3185 : A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution.
If you have this version which is the current version for 20.10 your OK, Prior versions before 1.2 are affected.
https://packages.ubuntu.com/groovy/gir1.2-gst-plugins-bad-1.0

Manfred Hampl (m-hampl) said : #2

see https://ubuntu.com/security/CVE-2021-3185
It seems that work is in progress.

@Bernard:
The version in groovy is 1.18.0-2ubuntu6 which is "before v1.18.1". I assume that the current version in groovy IS vulnerable.

Bernard Stafford (bernard010) said : #3

Thanks, I stand corrected.

Bernard Stafford (bernard010) said : #4

This is a Red Hat bug affecting Fedora OS. https://access.redhat.com/security/cve/CVE-2021-3185

Manfred Hampl (m-hampl) said : #5

The code in Ubuntu is identical.

Johannes Rost (jrost) said : #6

I saw the status on https://ubuntu.com/security/CVE-2021-3185 and was just wondering wether groovy is going to get a fix for this.

I am currently using https://packages.ubuntu.com/groovy/gstreamer1.0-plugins-bad-apps (gstreamer1.0-plugins-bad-apps (1.18.0-2ubuntu6) ) on groovy (20.10). Will I have to wait for 21.04?

Kind regards
Johannes Rost

Manfred Hampl (m-hampl) said : #7

My personal guess is that the patch will be applied to all older relevant Ubuntu releases, but I cannot predict how fast that may happen.
If you see the bug as a threat, then you are free to build your personal version of the packages, e.g. in a PPA.

Another potential workaround: It might be possible to manually install the packages from Ubuntu 21.04 (hirsute) also on Ubuntu 20.10 (groovy). In a very quick look I did not see any broken dependencies (no warranty given).

Can you help with this problem?

Provide an answer of your own, or ask Johannes Rost for more information if necessary.

To post a message you must log in.