[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] 3 buffer overflows in gstreamer's gst-plugins-bad before 1.22.6
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2023-09-29 21:52:17
Message-ID: 7f2a8960-dec5-4cb8-b4f2-d2366c4d9a21 () oracle ! com
[Download RAW message or body]

https://gstreamer.freedesktop.org/security/sa-2023-0006.html reports:

    Security Advisory 2023-0006 (ZDI-CAN-21660) (CVE-2023-40474)

    Details:
    Heap-based buffer overflow in the MXF file demuxer when handling malformed
    files with uncompressed video in GStreamer versions before 1.22.6.

    Impact:
    It is possible for a malicious third party to trigger a crash in the
    application, and possibly also effect code execution through heap
    manipulation.

    Solution:
    The gst-plugins-bad 1.22.6 releases address the issue. People using older
    branches of GStreamer should apply the patch and recompile.

    Patches:
    https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
    (includes patch for SA-2023-0007 / ZDI-CAN-21661 / CVE-2023-40475)

https://gstreamer.freedesktop.org/security/sa-2023-0007.html reports:

    Security Advisory 2023-0007 (ZDI-CAN-21661) (CVE-2023-40475)

    Details:
    Heap-based buffer overflow in the MXF file demuxer when handling malformed
    files with AES3 audio in GStreamer versions before 1.22.6.

    Impact:
    It is possible for a malicious third party to trigger a crash in the
    application, and possibly also effect code execution through heap
    manipulation.

    Solution:
    The gst-plugins-bad 1.22.6 releases address the issue. People using older
    branches of GStreamer should apply the patch and recompile.

    Patches:
    https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
    (includes patch for SA-2023-0006 / ZDI-CAN-21660 / CVE-2023-40474)

https://gstreamer.freedesktop.org/security/sa-2023-0008.html reports:

    Security Advisory 2023-0008 (ZDI-CAN-21768) (CVE-2023-40476)

    Details:
    Stack-based buffer overflow in the H.265 video parser when handling malformed
    H.265 video streams in GStreamer versions before 1.22.6.

    Impact:
    It is possible for a malicious third party to trigger a crash in the
    application, and possibly also effect code execution through stack
    manipulation.

    Solution:
    The gst-plugins-bad 1.22.6 releases address the issue. People using older
    branches of GStreamer should apply the patch and recompile.

    Patches:
    https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364.patch

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]