[Issue] Dependency on deprecated library libgstinterfaces

[Hagar Delest]

Greetings,

I'm currently running AOO 4.1.5 on Gentoo Linux, and have found an issue with clearing a Security Advisory from my system (namely GLSA 201705-10) due to OpenOffice's dependency on /usr/lib64/libgstinterfaces-0.10.so.0 by /usr/lib64/openoffice/program/libavmediagst.so. That library is provided by media-libs/gst-plugins-base-0.10.36-r2 which was deprecated due to vulnerabilities, and the current version of gst-plugins-base is 1.14.1, but unfortunately doesn't provide an updated version of libgstinterfaces.

The following is the list of CVEs that deprecated all versions of gst-plugins-base up through 1.10.2:

CVE-2016-10198, CVE-2016-10199, CVE-2016-9445, CVE-2016-9446, CVE-2016-9447, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807,
CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2017-5837, CVE-2016-10198, CVE-2016-10199, CVE-2016-9445, CVE-2016-9446, CVE-2016-9447, CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807, CVE-2016-9808, CVE-2016-9809, CVE-2016-9810, CVE-2016-9811, CVE-2016-9812, CVE-2016-9813, CVE-2017-5837, CVE-2017-5838, CVE-2017-5839, CVE-2017-5840, CVE-2017-5841,
CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5846, CVE-2017-5847, CVE-2017-5848, CVE-2017-5838, CVE-2017-5839,
CVE-2017-5840, CVE-2017-5841, CVE-2017-5842, CVE-2017-5843, CVE-2017-5844, CVE-2017-5845, CVE-2017-5846, CVE-2017-5847, CVE-2017-5848

Any ideas on how to proceed from here?

TIA for your help.

[John_Ha]

The only thing you can do is raise a bug report at https://bz.apache.org/ooo/.

I don't think it will be fixed any time soon.

[Bill]

This may be a topic for the development mailing list. A search for "libavmediagst.so" found that AOO 4.2.0 will use gstreamer 1.0 instead of gstreamer 0.1, but I don't know if that would fix the problem.

Issue 127722 - Update gstreamer support from 0.1 to 1.0

Openoffice and unsupported gstreamer 0.10 branch (for openoffice libavmediagst.so library)

[ShadowCat8]

Greetings again and thanks for the responses,

@Bill: Thanks for the links. After reading the discussion on the dev mailing list from the link you provided, it seems others have also had concerns regarding AOO's dependency on the deprecated version of the gstreamer libs. At this point, support for linking against the 1.0 versions of gstreamer and the plugins will be available in AOO 4.2.0, and there is a patch available right now for those who want to build from source. I will likely try a direct-source build on my home system to see if it will work against the latest versions of the libs, too, and will report my findings.

And, at this time, I'd like to add an extra thanks and a "Good job!" to Damjan Jovanovic for his time and efforts on this issue, as well as for providing the patch.

Lastly, @robleyd, thanks for correcting my header on the OP of this thread. Since you get no descriptions of the icons on a mouseover, I took that symbol to mean "Danger" as opposed to "Toxic".

Thanks again.