nixpkgs/pkgs/development/libraries/gstreamer/bad/default.nix
Graham Christensen afd59811a1
gstreamer-*: 1.10.2 -> 1.10.3 for multiple CVEs
gst-plugins-bad:
From the Arch Linux advisory:
 - CVE-2017-5843 (arbitrary code execution): A double-free issue has
 been found in gstreamer before 1.10.3, in
 gst_mxf_demux_update_essence_tracks.

- CVE-2017-5848 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in gst_ps_demux_parse_psm.
More: https://lwn.net/Vulnerabilities/713772/

gst-plugins-base:
From the Arch Linux advisory:

- CVE-2017-5837 (denial of service): A floating point exception issue
  has been found in gstreamer before 1.10.3, in
  gst_riff_create_audio_caps.

- CVE-2017-5839 (denial of service): An endless recursion issue
  leading to stack overflow has been found in gstreamer before 1.10.3,
  in gst_riff_create_audio_caps.

- CVE-2017-5842 (arbitrary code execution): An off-by-one write has
  been found in gstreamer before 1.10.3, in
  html_context_handle_element.

- CVE-2017-5844 (denial of service): A floating point exception issue
  has been found in gstreamer before 1.10.3, in
  gst_riff_create_audio_caps.
More: https://lwn.net/Vulnerabilities/713773/

gst-plugins-good:
From the Arch Linux advisory:

- CVE-2016-10198 (denial of service): An invalid memory read flaw has
  been found in gstreamer before 1.10.3, in
  gst_aac_parse_sink_setcaps.

- CVE-2016-10199 (denial of service): An out of bounds read has been
  found in gstreamer before 1.10.3, in qtdemux_tag_add_str_full.

- CVE-2017-5840 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in qtdemux_parse_samples.

- CVE-2017-5841 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.

- CVE-2017-5845 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in gst_avi_demux_parse_ncdt.
More: https://lwn.net/Vulnerabilities/713774/

gst-plugins-ugly:
From the Arch Linux advisory:

- CVE-2017-5846 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in
  gst_asf_demux_process_ext_stream_props.

- CVE-2017-5847 (denial of service): An out-of-bounds read has been
  found in gstreamer before 1.10.3, in
  gst_asf_demux_process_ext_content_desc.
More: https://lwn.net/Vulnerabilities/713775/

gstreamer:
From the Arch Linux advisory:

An out of bounds read has been found in gstreamer before 1.10.3, in
gst_date_time_new_from_iso8601_string.
More: https://lwn.net/Vulnerabilities/713776/
2017-02-08 08:30:23 -05:00

59 lines
1.7 KiB
Nix

{ stdenv, fetchurl, pkgconfig, python, gst-plugins-base, orc
, faacSupport ? false, faac ? null
, faad2, libass, libkate, libmms
, libmodplug, mpeg2dec, mpg123
, openjpeg, libopus, librsvg
, wildmidi, fluidsynth, libvdpau, wayland
, libwebp, xvidcore, gnutls, mjpegtools
, mesa, libintlOrEmpty
}:
assert faacSupport -> faac != null;
let
inherit (stdenv.lib) optional optionalString;
in
stdenv.mkDerivation rec {
name = "gst-plugins-bad-1.10.3";
meta = with stdenv.lib; {
description = "Gstreamer Bad Plugins";
homepage = "http://gstreamer.freedesktop.org";
longDescription = ''
a set of plug-ins that aren't up to par compared to the
rest. They might be close to being good quality, but they're missing
something - be it a good code review, some documentation, a set of tests,
a real live maintainer, or some actual wide use.
'';
license = licenses.lgpl2Plus;
platforms = platforms.linux;
};
src = fetchurl {
url = "${meta.homepage}/src/gst-plugins-bad/${name}.tar.xz";
sha256 = "1rwla1p57yzygb68z2xk5l5kvqzj5w3nxq0davkwk139zd8r6294";
};
outputs = [ "out" "dev" ];
nativeBuildInputs = [ pkgconfig python ];
buildInputs = [
gst-plugins-base orc
faad2 libass libkate libmms
libmodplug mpeg2dec mpg123
openjpeg libopus librsvg
fluidsynth libvdpau
libwebp xvidcore gnutls mesa
mjpegtools
]
++ libintlOrEmpty
++ optional faacSupport faac
++ optional stdenv.isLinux wayland
# wildmidi requires apple's OpenAL
# TODO: package apple's OpenAL, fix wildmidi, include on Darwin
++ optional (!stdenv.isDarwin) wildmidi;
LDFLAGS = optionalString stdenv.isDarwin "-lintl";
}