Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715100 (CVE-2020-6095)

Summary: <media-libs/gst-rtsp-server-1.16.2: Denial of service via GstRTSPAuth (CVE-2020-6095)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: gstreamer, jchelmert3
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B3 [cleanup glsa+ cve]
Package list:
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-03-27 20:47:29 UTC
"An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability."

Comment 1 John Helmert III (ajak) 2020-06-19 02:29:34 UTC
Maintainer(s): Ping.
Comment 2 Sam James archtester gentoo-dev Security 2020-07-18 20:59:03 UTC
Comment 3 Larry the Git Cow gentoo-dev 2020-08-29 10:00:06 UTC
The bug has been referenced in the following commit(s):

commit 4fa29d9e36377f98e19c9a9eddead073781f18eb
Author:     Mart Raudsepp <>
AuthorDate: 2020-08-29 09:58:35 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2020-08-29 09:59:46 +0000

    media-libs/gst-rtsp-server: bump to 1.16.2, fix CVE-2020-6095
    Includes 3 commits from origin/1.16, including fix for CVE-2020-6095.
    Tests fail due to new max-ttl work in 1.16, disable for now.
    1.18 will be meson-based and we'll retry with tests naturally then.
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <>

 media-libs/gst-rtsp-server/Manifest                |  1 +
 .../files/1.16.2-CVE-2020-6095.patch               | 39 +++++++++++
 .../files/1.16.2-glib-deprecation-fix.patch        | 59 +++++++++++++++++
 .../gst-rtsp-server/files/1.16.2-leak-fix.patch    | 25 ++++++++
 .../gst-rtsp-server/gst-rtsp-server-1.16.2.ebuild  | 75 ++++++++++++++++++++++
 5 files changed, 199 insertions(+)
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-08-29 17:57:54 UTC
x86 stable
Comment 5 Sam James archtester gentoo-dev Security 2020-08-30 23:44:24 UTC
amd64 done

all arches done
Comment 6 Sam James archtester gentoo-dev Security 2020-08-30 23:44:49 UTC
Please cleanup.
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-09-13 22:26:10 UTC
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:40:03 UTC
This issue was resolved and addressed in
 GLSA 202009-05 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 9 Thomas Deutschmann gentoo-dev Security 2020-09-13 23:40:27 UTC
Re-opening for cleanup.