Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600506 - media-libs/gst-plugins-good-*: Out of bounds write, code execution
Summary: media-libs/gst-plugins-good-*: Out of bounds write, code execution
Status: RESOLVED DUPLICATE of bug 601354
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2016-11-22 18:26 UTC by pachnekrobert
Modified: 2016-12-01 14:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description pachnekrobert 2016-11-22 18:26:17 UTC
Chris Evans discovered a vulnerability in the decoder for the FLIC file format which is part of media-libs/gst-plugins-good.
It's described on a private blog ( ), no CVE has been assigned yet but one is requested ( ).

I checked the portage tree and the vulnerable code seems to be present in all versions of gst-plugins-good which are available in Gentoo, from gst-plugins-good-0.10.31-r1 to gst-plugins-good-1.8.3

The lack of bounds checking happens in the function 
flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest) {}

There is a commit fixing the issue upstream:
Comment 1 pachnekrobert 2016-11-24 03:05:11 UTC
CVEs have been assigned
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 14:54:32 UTC
The fix was incomplete, see

Merging this bug with bug 601354.

*** This bug has been marked as a duplicate of bug 601354 ***