gst-plugins-bad:
From the Arch Linux advisory:
- CVE-2017-5843 (arbitrary code execution): A double-free issue has
been found in gstreamer before 1.10.3, in
gst_mxf_demux_update_essence_tracks.
- CVE-2017-5848 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_ps_demux_parse_psm.
More: https://lwn.net/Vulnerabilities/713772/
gst-plugins-base:
From the Arch Linux advisory:
- CVE-2017-5837 (denial of service): A floating point exception issue
has been found in gstreamer before 1.10.3, in
gst_riff_create_audio_caps.
- CVE-2017-5839 (denial of service): An endless recursion issue
leading to stack overflow has been found in gstreamer before 1.10.3,
in gst_riff_create_audio_caps.
- CVE-2017-5842 (arbitrary code execution): An off-by-one write has
been found in gstreamer before 1.10.3, in
html_context_handle_element.
- CVE-2017-5844 (denial of service): A floating point exception issue
has been found in gstreamer before 1.10.3, in
gst_riff_create_audio_caps.
More: https://lwn.net/Vulnerabilities/713773/
gst-plugins-good:
From the Arch Linux advisory:
- CVE-2016-10198 (denial of service): An invalid memory read flaw has
been found in gstreamer before 1.10.3, in
gst_aac_parse_sink_setcaps.
- CVE-2016-10199 (denial of service): An out of bounds read has been
found in gstreamer before 1.10.3, in qtdemux_tag_add_str_full.
- CVE-2017-5840 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in qtdemux_parse_samples.
- CVE-2017-5841 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
- CVE-2017-5845 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
More: https://lwn.net/Vulnerabilities/713774/
gst-plugins-ugly:
From the Arch Linux advisory:
- CVE-2017-5846 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in
gst_asf_demux_process_ext_stream_props.
- CVE-2017-5847 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in
gst_asf_demux_process_ext_content_desc.
More: https://lwn.net/Vulnerabilities/713775/
gstreamer:
From the Arch Linux advisory:
An out of bounds read has been found in gstreamer before 1.10.3, in
gst_date_time_new_from_iso8601_string.
More: https://lwn.net/Vulnerabilities/713776/
* gstreamer-1.0: make gst-launch find plugins again
gst-launch and friends are in the "dev" output now.
* gstreamer-1.0: lower priority on plugins from $NIX_PROFILES
Suffix the plugin paths from $NIX_PROFILES instead of prefixing them to
$GST_PLUGIN_SYSTEM_PATH. If a program has specifically set up its plugin
path to some custom/specific version, we don't want plugins from
$NIX_PROFILES to mess things up by having higher priority.
- Explicitly moving the files breaks them, because the wrappers
reference the files by absolute path. Also this automatically
moves the manpages to $dev as well.
- Need to explicitly set --exec-prefix since the pkgconfig file has
`toolsdir=${exec_prefix}/bin`, breaking totem:
http://hydra.nixos.org/build/34980617/nixlog/1/raw
````
checking for BACKEND_TEST... yes
checking GStreamer 1.0 inspection tool... no
configure: error:
Cannot find required GStreamer-1.0 tool 'gst-inspect-1.0'.
It should be part of gstreamer-1_0-utils. Please install it.
builder for ‘/nix/store/npq2ihlsdniv4j3wbyparq9byjxqdi15-totem-3.18.1.drv’ failed with exit code 1
````
While at it, enable parallel build.
The $lib output refers to the terminfo database in $out, which is about
10x larger than the ncurses shared library. Splitting these outputs
saves a small amount of space for any derivations that use the terminfo
database but not the ncurses library, but we do not have evidence that
any such exist.