gst-plugins-bad:
From the Arch Linux advisory:
- CVE-2017-5843 (arbitrary code execution): A double-free issue has
been found in gstreamer before 1.10.3, in
gst_mxf_demux_update_essence_tracks.
- CVE-2017-5848 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_ps_demux_parse_psm.
More: https://lwn.net/Vulnerabilities/713772/
gst-plugins-base:
From the Arch Linux advisory:
- CVE-2017-5837 (denial of service): A floating point exception issue
has been found in gstreamer before 1.10.3, in
gst_riff_create_audio_caps.
- CVE-2017-5839 (denial of service): An endless recursion issue
leading to stack overflow has been found in gstreamer before 1.10.3,
in gst_riff_create_audio_caps.
- CVE-2017-5842 (arbitrary code execution): An off-by-one write has
been found in gstreamer before 1.10.3, in
html_context_handle_element.
- CVE-2017-5844 (denial of service): A floating point exception issue
has been found in gstreamer before 1.10.3, in
gst_riff_create_audio_caps.
More: https://lwn.net/Vulnerabilities/713773/
gst-plugins-good:
From the Arch Linux advisory:
- CVE-2016-10198 (denial of service): An invalid memory read flaw has
been found in gstreamer before 1.10.3, in
gst_aac_parse_sink_setcaps.
- CVE-2016-10199 (denial of service): An out of bounds read has been
found in gstreamer before 1.10.3, in qtdemux_tag_add_str_full.
- CVE-2017-5840 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in qtdemux_parse_samples.
- CVE-2017-5841 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
- CVE-2017-5845 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
More: https://lwn.net/Vulnerabilities/713774/
gst-plugins-ugly:
From the Arch Linux advisory:
- CVE-2017-5846 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in
gst_asf_demux_process_ext_stream_props.
- CVE-2017-5847 (denial of service): An out-of-bounds read has been
found in gstreamer before 1.10.3, in
gst_asf_demux_process_ext_content_desc.
More: https://lwn.net/Vulnerabilities/713775/
gstreamer:
From the Arch Linux advisory:
An out of bounds read has been found in gstreamer before 1.10.3, in
gst_date_time_new_from_iso8601_string.
More: https://lwn.net/Vulnerabilities/713776/
* gstreamer-1.0: make gst-launch find plugins again
gst-launch and friends are in the "dev" output now.
* gstreamer-1.0: lower priority on plugins from $NIX_PROFILES
Suffix the plugin paths from $NIX_PROFILES instead of prefixing them to
$GST_PLUGIN_SYSTEM_PATH. If a program has specifically set up its plugin
path to some custom/specific version, we don't want plugins from
$NIX_PROFILES to mess things up by having higher priority.
- Explicitly moving the files breaks them, because the wrappers
reference the files by absolute path. Also this automatically
moves the manpages to $dev as well.
- Need to explicitly set --exec-prefix since the pkgconfig file has
`toolsdir=${exec_prefix}/bin`, breaking totem:
http://hydra.nixos.org/build/34980617/nixlog/1/raw
````
checking for BACKEND_TEST... yes
checking GStreamer 1.0 inspection tool... no
configure: error:
Cannot find required GStreamer-1.0 tool 'gst-inspect-1.0'.
It should be part of gstreamer-1_0-utils. Please install it.
builder for ‘/nix/store/npq2ihlsdniv4j3wbyparq9byjxqdi15-totem-3.18.1.drv’ failed with exit code 1
````
While at it, enable parallel build.
The $lib output refers to the terminfo database in $out, which is about
10x larger than the ncurses shared library. Splitting these outputs
saves a small amount of space for any derivations that use the terminfo
database but not the ncurses library, but we do not have evidence that
any such exist.
(And while at it, gst-vaapi 0.6.0 -> 0.6.1.)
* gst-editing-services grew additional build time dependencies, flex and
perl.
* gst-libav switched from libav to ffmpeg as "libav" provider, see
http://gstreamer.freedesktop.org/releases/1.6/.
Without using ffmpeg, one may hit issues such as this (which I
initially did):
(gst-plugin-scanner:19751): GStreamer-WARNING **: Failed to load plugin '/nix/store/0wgpq2yx9wrkp2mh4rn1c7zbiq2bqa2l-gst-libav-1.6.1/lib/gstreamer-1.0/libgstlibav.so':
/nix/store/0wgpq2yx9wrkp2mh4rn1c7zbiq2bqa2l-gst-libav-1.6.1/lib/gstreamer-1.0/libgstlibav.so: undefined symbol: av_frame_get_sample_rate
