Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701294 (CVE-2019-9928) - <media-libs/gst-plugins-base-1.14.5: heap-based buffer overflow in RTSP connection parser
Summary: <media-libs/gst-plugins-base-1.14.5: heap-based buffer overflow in RTSP conne...
Alias: CVE-2019-9928
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
: 684842 (view as bug list)
Depends on:
Reported: 2019-11-27 06:56 UTC by psp
Modified: 2020-06-18 02:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description psp 2019-11-27 06:56:57 UTC
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.

The fix has been backported to the 1.14.x releases in 1.14.5, which is currently in the portage tree, but not marked stable.
Comment 1 Mart Raudsepp gentoo-dev 2020-02-02 10:51:13 UTC
gst-plugins-base-1.14.5-r1 has been stable on all architectures since 1st January 2020 already.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:47:38 UTC
*** Bug 684842 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:48:59 UTC
New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 19:56:28 UTC
This issue was resolved and addressed in
 GLSA 202003-33 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 19:57:58 UTC
Re-opening for cleanup.

@ maintainer(s): Please cleanup and drop =media-libs/gst-plugins-base-1.14.5!
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2020-05-04 02:38:33 UTC
Please drop vulnerable.
Comment 7 Mart Raudsepp gentoo-dev 2020-05-04 06:04:12 UTC
There are no vulnerable versions for this bug in the tree since January 1st 2020.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:39:37 UTC
(In reply to Mart Raudsepp from comment #7)
> There are no vulnerable versions for this bug in the tree since January 1st
> 2020.