[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] 3 buffer overflows in gstreamer's gst-plugins-bad before 1.22.6
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2023-09-29 21:52:17
Message-ID: 7f2a8960-dec5-4cb8-b4f2-d2366c4d9a21 () oracle ! com
[Download RAW message or body]
https://gstreamer.freedesktop.org/security/sa-2023-0006.html reports:
Security Advisory 2023-0006 (ZDI-CAN-21660) (CVE-2023-40474)
Details:
Heap-based buffer overflow in the MXF file demuxer when handling malformed
files with uncompressed video in GStreamer versions before 1.22.6.
Impact:
It is possible for a malicious third party to trigger a crash in the
application, and possibly also effect code execution through heap
manipulation.
Solution:
The gst-plugins-bad 1.22.6 releases address the issue. People using older
branches of GStreamer should apply the patch and recompile.
Patches:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
(includes patch for SA-2023-0007 / ZDI-CAN-21661 / CVE-2023-40475)
https://gstreamer.freedesktop.org/security/sa-2023-0007.html reports:
Security Advisory 2023-0007 (ZDI-CAN-21661) (CVE-2023-40475)
Details:
Heap-based buffer overflow in the MXF file demuxer when handling malformed
files with AES3 audio in GStreamer versions before 1.22.6.
Impact:
It is possible for a malicious third party to trigger a crash in the
application, and possibly also effect code execution through heap
manipulation.
Solution:
The gst-plugins-bad 1.22.6 releases address the issue. People using older
branches of GStreamer should apply the patch and recompile.
Patches:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
(includes patch for SA-2023-0006 / ZDI-CAN-21660 / CVE-2023-40474)
https://gstreamer.freedesktop.org/security/sa-2023-0008.html reports:
Security Advisory 2023-0008 (ZDI-CAN-21768) (CVE-2023-40476)
Details:
Stack-based buffer overflow in the H.265 video parser when handling malformed
H.265 video streams in GStreamer versions before 1.22.6.
Impact:
It is possible for a malicious third party to trigger a crash in the
application, and possibly also effect code execution through stack
manipulation.
Solution:
The gst-plugins-bad 1.22.6 releases address the issue. People using older
branches of GStreamer should apply the patch and recompile.
Patches:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364.patch
--
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic