Opened 3 years ago
Closed 3 years ago
#15514 closed enhancement (fixed)
gstreamer gst-plugins-base gst-plugins-good gst-plugins-bad gst-plugins-ugly gst-libav gstreamer-vaapi 1.18.5
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (19)
comment:1 by , 3 years ago
| Priority: | normal → elevated |
|---|
comment:2 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 years ago
| Priority: | elevated → normal |
|---|
After consultation with the maintainer, I'm happy to confirm that there are no security vulnerabilities fixed in this release, and that it was a blind copy and paste error that suggested that vulnerabilities existed.
I decided to investigate this yesterday after wondering why there were no security advisories on their website for this version and also why there were no issues marked as Resolved with the "Security" label on them in their issue tracker.
Promoting back to normal.
comment:4 by , 3 years ago
gstreamer
gstreamer
aggregator: Release the SRC lock while querying latency
aggregator: Release pads' peeked buffer when removing the pad or finalizing it
basesink: Don't swap rstart/rstop when stepping
basesrc: Print segments with GST_SEGMENT_FORMAT and not GST_PTR_FORMAT
childproxy: init value in gst_child_proxy_get_property() if needed
clocksync: Fix providing system clock by default
concat: Properly propagate seqnum of segment events
concat: adjust running time offsets on downstream events
concat: fix locking in SEGMENT event handler
downloadbuffer/sparsefile: several fixes for win32
element: NULL the lists of contexts in dispose()
multiqueue: Use running time of gap events for wakeups.
multiqueue: Ensure peer pad exists when iterating internal links
pad: Keep IDLE probe hook alive during immediate callback
pad: Ensure last flow return is set on sink pads in push mode
pad: Don't spam the debug log at INFO level when default-chaining a buffer list
pad: clear probes holding mutex
parse-launch: Fix a critical when using the : operator.
parse-launch: Don't do delayed property setting for top-level properties.
plugin: load plugins with unknown license strings
ptpclock: Don't leak the GList
queue2: Refuse all serialized queries when posting buffering messages
systemclock: Update monotonic reference time when re-scheduling
High CPU usage in 1.18 (but not master) when pausing playback in gnome-music
Don't use volatile to mean atomic (fixes compiler warnings with gcc 11)
comment:6 by , 3 years ago
gst-plugins-base
gst-plugins-base
appsrc: Don't leak buffer list while wrongly unreffing buffer on EOS/flushing
audioaggregator: Don't overwrite already written samples
audioaggregator: Resync on the next buffer when dropping a buffer on discont resyncing
audiobasesink: Fix of double lock release
audioaggregator: Don't overwrite already written samples
audiobasesrc: Fix divide by zero assertion
clockoverlay: Fix broken string formatting by strftime() on Windows
compositor: Fix NV12 blend operation
giosrc: Don't leak scheme string in gst_gio_src_query()
giobasesink: Handle incomplete writes in gst_gio_base_sink_render()
gl/wayland: Use consistent wl_display when creating work queue for proxy wrapper
gl: Fix build when Meson >= 0.58.0rc1
gl/wayland: provide a dummy global_remove function
playbin2: fix base_time selection when flush seeking live (such as with RTSP)
rtspconnection: Add IPv6 support for tunneled mode
rtspconnection: Consistently translate GIOError to GstRTSPResult (for rtspsrc)
rawbaseparse: check destination format correctly
uridecodebin: Don't force floating reference for future reusable decodebin
parsebin: Put stream flags in GstStream
splitmuxsink: always use factory property when set
video-converter: Set up matrix tables only once.
videoscale: Performance degradation from 1.16.2 -> 1.18.4
videotestsrc: Fix a leak when computing alpha caps
audio/video-converter: Plug some minor leaks
audio,video-format: Make generate_raw_formats idempotent for assertions
Don't use volatile to mean atomic (fixes compiler warnings with gcc 11)
Fix build issue on MinGW64
comment:7 by , 3 years ago
gst-plugins-good
gst-plugins-good
avidemux: Also detect 0x000001 as H264 byte-stream start code in codec_data
deinterlace: Plug a method subobject leak
deinterlace: Drop field-order field if outputting progressive
jpegdec: Fix crash when interlaced field height is not DCT block size aligned
qmlglsink: Keep old buffers around a bit longer if they were bound by QML
qml: qtitem: don't potentially leak a large number of buffers
qtdemux: Force stream-start push when re-using EOS'd streams
qtmux: for Apple ProRes, allow overriding pixel bit depth, e.g. when exporting an opaque image, yet with alpha.
qtmux: Make sure to write 64-bit STCO table when needed.
rtpjpegpay: fix image corruption when compiled with MSVC on Windows
rtpptdemux: Remove pads also in PAUSED->READY
rtph265depay: update codec_data in caps regardless of format
rtspsrc: Do not overwrite the known duration after a seek
rtspsrc: De-dup seek event seqnums to avoid multiple seeks
rtspsrc: Fix race saving seek event seqnum
rtspsrc: Using multicast UDP has no relation to seekability, also add some logging
rtpjitterbuffer: Fix parsing of the mediaclk:direct= field
rtpjitterbuffer: Avoid generation of invalid timestamps
rtpjitterbuffer: Check srcresult before waiting on the condition variable too
rtpjitterbuffer: More logging when calculating rfc7273 timestamps
rtspsrc: Fix more signals
rtspsrc: Fix accumulation of before-send signal return values
souphttpsrc: Always use the content decoder but set `Accept-Encoding:...
udpsrc: Plug leaks of saddr in error cases
multiudpsink: Fix broken SO_SNDBUF get/set on Windows
v4l2object: Add interlace-mode back to caps for camera
v4l2object: Use default colorimetry if that in caps is unknown
V4l2object: Avoid colorimetry mismatch for streams with invalid colorimetry
v4l2object: Add support for hdr10 stream playback
wavparse: adtl/note/labl chunk parsing fixes
Don't use volatile to mean atomic (fixes compiler warnings with gcc 11)
1.18.4: build fails with glib 2.67.6 and gcc-11: argument 2 of ‘_atomicload’ must not be a pointer to a ‘volatile’ type
follow-up: 10 comment:8 by , 3 years ago
In gst-plugins-good, the patch is no longer required.
Also, I'm going to do some dependency reshuffling. Since none of the gstreamer plugins depend on each other, with the exception of them all depending on gst-plugins-base, the dependency on libpng/cairo/libjpeg can be moved into gst-plugins-base and subsequently dropped from gst-plugins-good.
follow-up: 11 comment:10 by , 3 years ago
Replying to Douglas R. Reno:
In gst-plugins-good, the patch is no longer required.
Also, I'm going to do some dependency reshuffling. Since none of the gstreamer plugins depend on each other, with the exception of them all depending on gst-plugins-base, the dependency on libpng/cairo/libjpeg can be moved into gst-plugins-base and subsequently dropped from gst-plugins-good.
I'm not sure I agree with that. If gst-plugins-base does not use nor test a dependency, it's not a dependency of gst-plugins-base. If (for example) I only want to build gst-plugins-base and gst-plugins-bad, and none of those depend on libxxx, why would I want to build libxxx?
follow-up: 13 comment:11 by , 3 years ago
Replying to pierre:
Replying to Douglas R. Reno:
In gst-plugins-good, the patch is no longer required.
Also, I'm going to do some dependency reshuffling. Since none of the gstreamer plugins depend on each other, with the exception of them all depending on gst-plugins-base, the dependency on libpng/cairo/libjpeg can be moved into gst-plugins-base and subsequently dropped from gst-plugins-good.
I'm not sure I agree with that. If gst-plugins-base does not use nor test a dependency, it's not a dependency of gst-plugins-base. If (for example) I only want to build gst-plugins-base and gst-plugins-bad, and none of those depend on libxxx, why would I want to build libxxx?
I'm not sure I was clear enough here, here's a better example:
gst-plugins-base:
- libgudev (Run-time dependency gudev-1.0 found: YES 237)
- libpng (Run-time dependency libpng found: YES 1.6.37)
- libjpeg-turbo (Run-time dependency libjpeg found: YES 2.1.1)
- pango (Run-time dependency pangocairo found: YES 1.48.10)
- Mesa (Run-time dependency gl found: YES 21.2.1)
- Xorg Libraries (Run-time dependency xext found: YES 1.3.4)
Meanwhile, in gst-plugins-good:
- * DEPENDS ON GST-PLUGINS-BASE *
- libpng
- libjpeg-turbo
- cairo
- libgudev
- mesa
- Xorg Libraries
And in gst-plugins-bad:
- * DEPENDS ON GST-PLUGINS-BASE *
- Xorg Libraries
- libgudev
I'm basically looking to clear up the duplicate dependencies in packages which depend on gst-plugins-base. In the case of gst-plugins-bad, that means Xorg Libraries and libgudev (although wayland-protocols, which is referenced as Optional in gst-plugins-base, has a dependency on Wayland - so maybe the Wayland dependency can go too since it's marked as Optional). In the case of gst-plugins-good, that means libpng, libjpeg-turbo, libgudev, mesa, and Xorg Libraries. I will probably need to add a recommended dependency on Pango to gst-plugins-base though.
I'm also OK with leaving the dependencies alone if you'd prefer.
comment:12 by , 3 years ago
gst-plugins-bad
gst-plugins-bad
audiolatency: Use live mode audiotestsrc
audiolatency: Handle audio buffers with invalid duration
ccconverter: fix framerate caps negotiation from non-cdp to cdp
dashdemux: Properly initalize GError, remove duplicate logging call
dashdemux: Log protection events on corresponding pad
dashdemux: fix dash_mpdparser_check_mpd_client_set_methods unit test
h264parse,h265parse: Push parameter set NAL units again per segment-done
h265parse: Fix a typo in get_compatible_profile_caps()
h265parse: don't invalidate the last PPS when parsing a new SPS
h264parse: improve PPS handling
h2645parser: Catch overflows in AVC/HEVC NAL unit length calculations
interlace: Don't set field-order field for progressive caps, fixes negotiation issues
interlace: Fix too small buffer size error
jpegparse: Don't generate timestamp for 0/1 framerates
opencv: fix build error on macOS
openexr: Fix build with OpenEXR 3
openh264enc: fix broken sps/pps header generation and some minor leaks
mpeg2enc: fix interlace-mode detection on input video
mpeg2enc: Only allow 1 pending frame for encoding (fixes unbound memory usage in case encoder can't keep up with input)
mfvideoenc: Don't pass 0/1 framerate to MFT
mfvideosrc: Fix for negative MF stride
mfvideosrc: Fix negotiation when interlace-mode is specified
mxfvanc: Handle empty ANC essence
rtmp2src: workaround a GLib race when destroying a GMainContext/GSource
rtpsrc: Plug leak of rtcp_send_addr and fix setting URI back to NULL
rtpsink: Return proper pad from _request_new_pad()
rist: Plug leak of rtcp_send_addr
rtmp2: Use correct size of write macro for param2.
rtmp2/connection: Separate inner from outer cancelling
tsmux: When selecting random PIDs, name the pads according to those PIDs
tsmux: Recheck existing pad PIDs when requesting a new pad with a random pid
tsdemux: fix seek with stop regression
tsdemux: Clear all streams when rewinding, fixes the case where the demuxer sends out partial invalid data downstream after a seek which causes some decoders (such as dvdlpmdec) to error out
v4l2slh264dec: Fix slice header bit size calculation
videoparseutils: Fix for wrong CEA708 minimum size check
waylandsink: Fix for missing initial configure
wpe: Make threaded view singleton creation thread safe
x265: Fix a deadlock when failing to create the x265enc
Don't use volatile to mean atomic (fixes compiler warnings with gcc 11)
follow-up: 17 comment:13 by , 3 years ago
Replying to Douglas R. Reno:
Replying to pierre:
Replying to Douglas R. Reno:
In gst-plugins-good, the patch is no longer required.
Also, I'm going to do some dependency reshuffling. Since none of the gstreamer plugins depend on each other, with the exception of them all depending on gst-plugins-base, the dependency on libpng/cairo/libjpeg can be moved into gst-plugins-base and subsequently dropped from gst-plugins-good.
I'm not sure I agree with that. If gst-plugins-base does not use nor test a dependency, it's not a dependency of gst-plugins-base. If (for example) I only want to build gst-plugins-base and gst-plugins-bad, and none of those depend on libxxx, why would I want to build libxxx?
I'm not sure I was clear enough here, here's a better example:
gst-plugins-base:
- libgudev (Run-time dependency gudev-1.0 found: YES 237)
- libpng (Run-time dependency libpng found: YES 1.6.37)
- libjpeg-turbo (Run-time dependency libjpeg found: YES 2.1.1)
- pango (Run-time dependency pangocairo found: YES 1.48.10)
- Mesa (Run-time dependency gl found: YES 21.2.1)
- Xorg Libraries (Run-time dependency xext found: YES 1.3.4)
Meanwhile, in gst-plugins-good:
- * DEPENDS ON GST-PLUGINS-BASE *
- libpng
- libjpeg-turbo
- cairo
- libgudev
- mesa
- Xorg Libraries
And in gst-plugins-bad:
- * DEPENDS ON GST-PLUGINS-BASE *
- Xorg Libraries
- libgudev
I'm basically looking to clear up the duplicate dependencies in packages which depend on gst-plugins-base. In the case of gst-plugins-bad, that means Xorg Libraries and libgudev (although wayland-protocols, which is referenced as Optional in gst-plugins-base, has a dependency on Wayland - so maybe the Wayland dependency can go too since it's marked as Optional). In the case of gst-plugins-good, that means libpng, libjpeg-turbo, libgudev, mesa, and Xorg Libraries. I will probably need to add a recommended dependency on Pango to gst-plugins-base though.
I'm also OK with leaving the dependencies alone if you'd prefer.
Replying to my own comment here, in gst-plugins-bad, the wayland dependency should definitely stay since it mentions that need for GTK+-3 to be compiled with Wayland support.
comment:14 by , 3 years ago
gst-plugins-ugly
gst-plugins-ugly
asfdemux/realmedia: Drop duplicate seek events
Don't use volatile to mean atomic (fixes compiler warnings with gcc 11)
comment:15 by , 3 years ago
gst-libav
gst-libav
avmux: Blacklist ttml subtitles (fixes crash with ffmpeg >= 4.4)
avmux: fix segfault when a plugin's long_name is NULL
avviddec: Fix size of linesize parameter
avviddec: Take into account coded_height for pool
avdemux: fix build with FFmpeg 4.4
comment:16 by , 3 years ago
gstreamer-vaapi
gstreamer-vaapi
plugins: Demote rank of vaapipostproc and vaapioverlay to match other filters
Don't use volatile to mean atomic (fixes compiler warnings with gcc 11)
comment:17 by , 3 years ago
Replying to Douglas R. Reno:
Replying to Douglas R. Reno:
Replying to pierre:
Replying to Douglas R. Reno:
In gst-plugins-good, the patch is no longer required.
Also, I'm going to do some dependency reshuffling. Since none of the gstreamer plugins depend on each other, with the exception of them all depending on gst-plugins-base, the dependency on libpng/cairo/libjpeg can be moved into gst-plugins-base and subsequently dropped from gst-plugins-good.
I'm not sure I agree with that. If gst-plugins-base does not use nor test a dependency, it's not a dependency of gst-plugins-base. If (for example) I only want to build gst-plugins-base and gst-plugins-bad, and none of those depend on libxxx, why would I want to build libxxx?
I'm not sure I was clear enough here, here's a better example:
gst-plugins-base:
- libgudev (Run-time dependency gudev-1.0 found: YES 237)
- libpng (Run-time dependency libpng found: YES 1.6.37)
- libjpeg-turbo (Run-time dependency libjpeg found: YES 2.1.1)
- pango (Run-time dependency pangocairo found: YES 1.48.10)
- Mesa (Run-time dependency gl found: YES 21.2.1)
- Xorg Libraries (Run-time dependency xext found: YES 1.3.4)
Meanwhile, in gst-plugins-good:
- * DEPENDS ON GST-PLUGINS-BASE *
- libpng
- libjpeg-turbo
- cairo
- libgudev
- mesa
- Xorg Libraries
And in gst-plugins-bad:
- * DEPENDS ON GST-PLUGINS-BASE *
- Xorg Libraries
- libgudev
I'm basically looking to clear up the duplicate dependencies in packages which depend on gst-plugins-base. In the case of gst-plugins-bad, that means Xorg Libraries and libgudev (although wayland-protocols, which is referenced as Optional in gst-plugins-base, has a dependency on Wayland - so maybe the Wayland dependency can go too since it's marked as Optional). In the case of gst-plugins-good, that means libpng, libjpeg-turbo, libgudev, mesa, and Xorg Libraries. I will probably need to add a recommended dependency on Pango to gst-plugins-base though.
I'm also OK with leaving the dependencies alone if you'd prefer.
Replying to my own comment here, in gst-plugins-bad, the wayland dependency should definitely stay since it mentions that need for GTK+-3 to be compiled with Wayland support.
Sorry, I thought you mean that any dependency of gst-plugins-xxx (not base) alone would have to be moved to gst-plugins-base. If some deps of gst-plugins-base are duplicated in some other plugin, of course, the duplicate has to be removed!
comment:19 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
To whoever does this, I'm not sure what security fixes the release notes are mentioning, but from the release email: