GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution. The fix has been backported to the 1.14.x releases in 1.14.5, which is currently in the portage tree, but not marked stable.
gst-plugins-base-1.14.5-r1 has been stable on all architectures since 1st January 2020 already.
*** Bug 684842 has been marked as a duplicate of this bug. ***
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-33 at https://security.gentoo.org/glsa/202003-33 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ maintainer(s): Please cleanup and drop =media-libs/gst-plugins-base-1.14.5!
Please drop vulnerable.
There are no vulnerable versions for this bug in the tree since January 1st 2020.
(In reply to Mart Raudsepp from comment #7) > There are no vulnerable versions for this bug in the tree since January 1st > 2020. Thanks!