Debian Bug report logs - #847417
depends on gstreamer-plugins-bad, which is an ongoing source of security holes

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <id@joeyh.name>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: depends on gstreamer-plugins-bad, which is an ongoing source of security holes

Date: Wed, 7 Dec 2016 22:01:42 -0400

[Message part 1 (text/plain, inline)]

Package: gnome-video-effects
Version: 0.4.1-3
Severity: normal

gstreamer-plugins-bad has been in the news at least twice recently for
security holes. 

http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-risky-design-decisions-in.html

It seems likely that it will continue to be a source of such security
holes.

I wanted to remove gstreamer-plugins-bad from my system, but this would
remove gnome-video-effects, which would remove cheese. I don't know why
cheese needs a ton of insecurely implemented codecs for playing Nintendo
games etc in order to take snapshots and record videos. Probably it doesn't?

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnome-video-effects depends on:
ii  gstreamer1.0-plugins-bad   1.10.0-1
ii  gstreamer1.0-plugins-good  1.10.0-1

gnome-video-effects recommends no packages.

Versions of packages gnome-video-effects suggests:
pn  gnome-video-effects-frei0r  <none>

-- no debconf information

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 847417@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Joey Hess <id@joeyh.name>, 847417@bugs.debian.org, Laurent Bigonville <bigon@debian.org>

Subject: Re: Bug#847417: depends on gstreamer-plugins-bad, which is an ongoing source of security holes

Date: Fri, 9 Dec 2016 23:08:01 +0100

[Message part 1 (text/plain, inline)]

Hi Joey

Am 08.12.2016 um 03:01 schrieb Joey Hess:
> Package: gnome-video-effects
> Version: 0.4.1-3
> Severity: normal
> 
> gstreamer-plugins-bad has been in the news at least twice recently for
> security holes. 
> 
> http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
> https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-risky-design-decisions-in.html
> 
> It seems likely that it will continue to be a source of such security
> holes.

This doesn't immediately address your concern, but I just uploaded
tracker including this change:

"tracker-extract: Sandbox extractor threads. Filesystem and network
 access are limited to being read and local only."


> I wanted to remove gstreamer-plugins-bad from my system, but this would
> remove gnome-video-effects, which would remove cheese. I don't know why
> cheese needs a ton of insecurely implemented codecs for playing Nintendo
> games etc in order to take snapshots and record videos. Probably it doesn't?

gnome-video-effects is just one of many others depending on
gstreamer-plugins-bad, and I guess we have to check each and every one
of them.

Laurent, this dependency was originally added by you. Do you remember
the details and why this needs to be a hard dependency? The only real
dependency of gnome-video-effects is cheese, would some of the cheese
features not work if gstreamer-plugins-bad was not installed?

Michael

[1]
https://anonscm.debian.org/cgit/collab-maint/tracker.git/commit/?id=0ac99d4d549e35d87f23534d52bcba6d23893ffa
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 847417@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: Michael Biebl <biebl@debian.org>, Joey Hess <id@joeyh.name>

Cc: 847417@bugs.debian.org, pkg-gstreamer-maintainers@lists.alioth.debian.org

Subject: Re: Bug#847417: depends on gstreamer-plugins-bad, which is an ongoing source of security holes

Date: Sat, 10 Dec 2016 06:16:50 +0100

Le 09/12/16 à 23:08, Michael Biebl a écrit :
> Hi Joey
Hi,
>
> Am 08.12.2016 um 03:01 schrieb Joey Hess:
>> Package: gnome-video-effects
>> Version: 0.4.1-3
>> Severity: normal
>>
>> gstreamer-plugins-bad has been in the news at least twice recently for
>> security holes.
>>
>> http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html
>> https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-risky-design-decisions-in.html
>>
>> It seems likely that it will continue to be a source of such security
>> holes.
> This doesn't immediately address your concern, but I just uploaded
> tracker including this change:
>
> "tracker-extract: Sandbox extractor threads. Filesystem and network
>   access are limited to being read and local only."
>
>
>> I wanted to remove gstreamer-plugins-bad from my system, but this would
>> remove gnome-video-effects, which would remove cheese. I don't know why
>> cheese needs a ton of insecurely implemented codecs for playing Nintendo
>> games etc in order to take snapshots and record videos. Probably it doesn't?
> gnome-video-effects is just one of many others depending on
> gstreamer-plugins-bad, and I guess we have to check each and every one
> of them.
>
> Laurent, this dependency was originally added by you. Do you remember
> the details and why this needs to be a hard dependency? The only real
> dependency of gnome-video-effects is cheese, would some of the cheese
> features not work if gstreamer-plugins-bad was not installed?

I think cheese was not starting at all if there were no effects 
installed. I quickly tested again now and cheese seems to be OK if the 
gnome-video-effects package is not installed. So we could lower the 
dependency to a recommends.

BUT that will not solve the problem at all as cheese itself needs the 
camerabin plugin from gstreamer1.0-plugins-bad (libcheese8 depends on 
it). libcheese8 is used by cheese but also gnome-control-center, 
gnome-contacts, gnome-initial-setup (and also indirectly by empathy). I 
personally don't want to disable cheese support in all these components.

gstreamer1.0-plugins-bad is actually containing other plugins that looks 
useful to me (or might be useful in the future like the waylandsink) and 
not only "codecs for playing Nintendo games".

In ubuntu they are splitting more the package (same for the 
gnome-video-effects package actually) and are also moving at build time 
some of the plugins to gstreamer1.0-plugins-good. Following what ubuntu 
is doing might be an idea but it will require more work from the 
gstreamer maintainer I guess (I'm adding them in the loop) and we might 
be a bit late in the development cycle to do that now.

my 2¢

Message #20 received at 847417@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@debian.org>

To: Laurent Bigonville <bigon@debian.org>, Michael Biebl <biebl@debian.org>, Joey Hess <id@joeyh.name>

Cc: 847417@bugs.debian.org, pkg-gstreamer-maintainers@lists.alioth.debian.org

Subject: Re: Bug#847417: depends on gstreamer-plugins-bad, which is an ongoing source of security holes

Date: Sat, 10 Dec 2016 11:53:51 +0200

[Message part 1 (text/plain, inline)]

On Sat, 2016-12-10 at 06:16 +0100, Laurent Bigonville wrote:
> 
> 
> In ubuntu they are splitting more the package (same for the 
> gnome-video-effects package actually) and are also moving at build time 
> some of the plugins to gstreamer1.0-plugins-good. Following what ubuntu 
> is doing might be an idea but it will require more work from the 
> gstreamer maintainer I guess (I'm adding them in the loop) and we might 
> be a bit late in the development cycle to do that now.

Following what Ubuntu does is definitely not a good idea. We shouldn't
just randomly move code from one source package to another.

Splitting everything more is a possible solution, the question then
however is how much splitting should happen. Should each plugin get its
own binary package? How would you decide what to group otherwise?
It's not that simple

I would split per plugin, if it wasn't that much work and wouldn't also
cause a lot of work for ftp-master to always move things out of the NEW
queue again, and increase the size of what "apt-get update" has to
download, and increase the workload for each maintainer (which of these
150 plugins do I need? 2 hours later: ah! those 80 packages).

Doing so would also be useful from a dependency chain point of view,
gstreamer1.0-plugins-bad has lots of external dependencies.


For the other things you mentioned, there's some upstream effort to get
things moved from gst-plugins-bad to gst-plugins-good/base, like
camerabin and also some of the effects that cheese probably uses.


Nonetheless, none of this is going to solve this specific problem.

1) If packages are split, the first time the user finds a specially
crafted file of some obscure format, totem would ask the user to
install the required package. What do you think are the chances that
the user clicks on "ok" to install that package?
Note that this semi-automatic codec installation is only for that,
codecs / container formats. Not for any other kind of plugin that
provides a feature your package might require.

2) Next time there's a security bug, are we also going to split e.g.
imagemagick (also used by tracker) to one package per image format it
supports (good luck, it has no plugin system AFAICS). Or openssl
whenever some of its features has a bug? Or ffmpeg (it also has support
for hundreds of obscure formats, in one monolithic library that can't
be split), which also has some history of security bugs.
If we're going that road, at some point we won't get around having one
binary package per source file unless software just stops having bugs.

3) As you might've noticed, one (set) of the problems Chris Evans found
was in gstreamer1.0-plugins-good. I'm sure you will also find problems
in every other GStreamer package if you just look hard enough, or in
any piece of software out there for that matter.


I think the only way how to solve this problem is by just fixing bugs
as we always do, and mitigation for any so-far unfixed (security) bugs
(be it sandboxing relevant parts of the code, ASLR, ...).

Splitting the GStreamer packages into more binaries would be worthwhile
independent of that, we would have to find a way to keep the workload
of everybody at an acceptable level though.


And overall, this specific issue seems completely blown out of
proportion. Sure there are bugs, they can possibly be exploited and
should obviously be fixed. But the problem here is not only GStreamer,
and these kind of problems are not only something that would affect
GStreamer (ever looked at all the packages getting fixes on debian-
security?). It's now just that someone actually took a look at
GStreamer, found issues, just put them out there without responsible
disclosure and wrote fancy blog posts. That's good as it allows things
to get fixed, but it's also nothing special that only affects
GStreamer.

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 847417-done@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bícha <jeremy.bicha@canonical.com>

To: 847417-done@bugs.debian.org

Subject: Re: depends on gstreamer-plugins-bad, which is an ongoing source of security holes

Date: Fri, 17 Jan 2025 16:17:39 -0500

This isn't really actionable on the part of gnome-video-effects since
there are many Debian packages that use gstreamer-plugins-bad, so I'm
closing this bug.

Thank you,
Jeremy Bícha

Send a report that this bug log contains spam.