LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 12-15-2016, 08:13 PM   #1
TarFile
Member
 
Registered: Mar 2003
Posts: 371

Rep: Reputation: 36
libgme security 0-day


Here is a link to an article on this

http://arstechnica.com/security/2016...s-now-a-thing/

I know this is not installed by default on Slackware but for reasons unknown I have it installed

libgme-0.6.0-x86_64-1ponce

so it's something I needed but I have no idea what it's being used by. Maybe OpenShot?

I don't suppose anyone knows of a way to find out what is using a particular lib? I sort of remember something along those lines but it's probably wishful thinking.

Guess I'll remove it and see what if anything breaks.

It is also a part of gst-plugins-bad but who in there right mind would want to install that without a good reason.

Anyway is there a way to see what uses a lib ?
 
Old 12-15-2016, 08:22 PM   #2
TarFile
Member
 
Registered: Mar 2003
Posts: 371

Original Poster
Rep: Reputation: 36
Oh I see that there is a supposed fix in for this. Still not sure what uses it must be one of the many games I have installed

https://bitbucket.org/mpyne/game-music-emu/wiki/Home

I think the slackbuild will work with this?

Still wish I knew why I installed it in the first place.
 
Old 12-15-2016, 08:55 PM   #3
TarFile
Member
 
Registered: Mar 2003
Posts: 371

Original Poster
Rep: Reputation: 36
Well it does not want to work with the slackbuild. Not sure why.

It build but does not make the package to install. The flawed version 0.6.0 works fine.

This is the error I get

Install the project...
-- Install configuration: "Release"
-- Installing: /tmp/SBo/package-libgme/usr/lib64/libgme.so.0.6.1
-- Installing: /tmp/SBo/package-libgme/usr/lib64/libgme.so.0
-- Installing: /tmp/SBo/package-libgme/usr/lib64/libgme.so
-- Installing: /tmp/SBo/package-libgme/usr/include/gme/gme.h
-- Installing: /tmp/SBo/package-libgme/usr/lib64/pkgconfig/libgme.pc
mv: cannot stat '/tmp/SBo/package-libgme/usr/lib/pkgconfig': No such file or directory

I just changed the version number in the slackbuild which works most of the time. Not sure why this one is different. I am drawing a blank here.
 
Old 12-15-2016, 09:00 PM   #4
bassmadrigal
LQ Guru
 
Registered: Nov 2003
Location: West Jordan, UT, USA
Distribution: Slackware
Posts: 8,792

Rep: Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656Reputation: 6656
Quote:
Originally Posted by TarFile View Post
Still wish I knew why I installed it in the first place.
I greped the whole repo and ffmpeg is the only item I could find that had libgme as a dependency, and it was an optional one. So you probably chose to add it when you built ffmpeg.

https://slackbuilds.org/repository/1...imedia/ffmpeg/

libgme is maintained by pomfland, and it might be beneficial to email him/her in case they weren't aware of this issue. Then an update can be pushed out to SBo. The email is listed as:

Code:
pomfland at tfwno dot gf

Last edited by bassmadrigal; 12-15-2016 at 09:02 PM.
 
Old 12-15-2016, 09:33 PM   #5
TarFile
Member
 
Registered: Mar 2003
Posts: 371

Original Poster
Rep: Reputation: 36
You are correct I probably got all the optional dependencies when I built ffmpeg. Darn my OCD I get carried away sometimes.

Still can't get the slackbuild to work.
 
Old 12-15-2016, 09:43 PM   #6
TarFile
Member
 
Registered: Mar 2003
Posts: 371

Original Poster
Rep: Reputation: 36
OK I just sent an email so hopefully this will get fixed. I guess I need to rebuild ffmpeg either without it or with the new version.

Linux is getting to be more security work than it used to be or else people are getting better at finding the holes, probably the later. Wonder if it's even possible to write a bullet proof OS? Something tells me that's not going to happen anytime soon.
 
Old 12-16-2016, 12:29 AM   #7
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,060

Rep: Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139
I pushed the commit in my personal branch on SBo (and should go in the next update): these are the modifications you should apply to build it

https://slackbuilds.org/cgit/slackbu...99b6b69a813426

I think you shouldn't need to rebuild ffmpeg after having upgraded to the new version.

Last edited by ponce; 12-16-2016 at 01:06 AM.
 
Old 12-16-2016, 12:42 PM   #8
TarFile
Member
 
Registered: Mar 2003
Posts: 371

Original Poster
Rep: Reputation: 36
Thanks Ponce

I applied the patch and the slackbuild it created worked.

Although the patch command puzzles me here is what it did.

bash-4.4# patch libgme.SlackBuild libgme_61.patch
patching file libgme.SlackBuild
patching file libgme.SlackBuild
Hunk #1 FAILED at 1.
1 out of 1 hunk FAILED -- saving rejects to file libgme.SlackBuild.rej

bash-4.4# cat libgme.SlackBuild.rej
--- libgme.info
+++ libgme.info
@@ -1,8 +1,8 @@
PRGNAM="libgme"
-VERSION="0.6.0"
+VERSION="0.6.1"
HOMEPAGE="https://bitbucket.org/mpyne/game-music-emu/wiki/Home"
-DOWNLOAD="https://bitbucket.org/mpyne/game-music-emu/downloads/game-music-emu-0.6.0.tar.bz2"
-MD5SUM="b98fafb737bc889dc65e7a8b94bd1bf5"
+DOWNLOAD="https://bitbucket.org/mpyne/game-music-emu/downloads/game-music-emu-0.6.1.tar.bz2"
+MD5SUM="d399f4a00aece2813e777dface2b6aab"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES=""


I guess that is how it is supposed to work?
 
Old 12-16-2016, 01:46 PM   #9
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,060

Rep: Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139Reputation: 4139
no, you need all the files.
Code:
wget -O - "https://slackbuilds.org/cgit/slackbuilds/patch/?id=d1c9270ad77713d3f00625971a99b6b69a813426" > libgme.patch
wget https://slackbuilds.org/slackbuilds/14.2/libraries/libgme.tar.gz
tar xf libgme.tar.gz
cd libgme
patch -p3 < ../libgme.patch
be advised if you will try this in a few hours that you might find that the patch is already applied in the main repository.
 
Old 12-16-2016, 09:05 PM   #10
TarFile
Member
 
Registered: Mar 2003
Posts: 371

Original Poster
Rep: Reputation: 36
Well that is what I did but to be on the safe side I removed that and used the new one from slackbuild.

Thanks for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: A Day in the Life of Google's Security Chief LXer Syndicated Linux News 0 03-04-2016 09:33 AM
LXer: LinuxCon Day 2 recap: Security-centric LXer Syndicated Linux News 0 08-19-2015 03:30 PM
LXer: FREAK: Another day, another serious SSL security hole LXer Syndicated Linux News 0 03-04-2015 10:20 AM
LXer: Another day, another Firefox security fix LXer Syndicated Linux News 0 11-28-2007 01:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration