Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 701294 (CVE-2019-9928)

Summary: <media-libs/gst-plugins-base-1.14.5: heap-based buffer overflow in RTSP connection parser
Product: Gentoo Security Reporter: psp <gentoo-bugzilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gstreamer, leio
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gstreamer.freedesktop.org/security/sa-2019-0001.html
Whiteboard: B2 [glsa+ cve]
Package list:
=media-libs/gst-plugins-base-1.14.5-r1
 Runtime testing required: ---

Description psp 2019-11-27 06:56:57 UTC 
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.

The fix has been backported to the 1.14.x releases in 1.14.5, which is currently in the portage tree, but not marked stable.
Comment 1 Mart Raudsepp gentoo-dev 2020-02-02 10:51:13 UTC 
gst-plugins-base-1.14.5-r1 has been stable on all architectures since 1st January 2020 already.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:47:38 UTC 
*** Bug 684842 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:48:59 UTC 
New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 19:56:28 UTC 
This issue was resolved and addressed in
 GLSA 202003-33 at https://security.gentoo.org/glsa/202003-33
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:57:58 UTC 
Re-opening for cleanup.

@ maintainer(s): Please cleanup and drop =media-libs/gst-plugins-base-1.14.5!
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2020-05-04 02:38:33 UTC 
Please drop vulnerable.
Comment 7 Mart Raudsepp gentoo-dev 2020-05-04 06:04:12 UTC 
There are no vulnerable versions for this bug in the tree since January 1st 2020.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:39:37 UTC 
(In reply to Mart Raudsepp from comment #7)
> There are no vulnerable versions for this bug in the tree since January 1st
> 2020.

Thanks!