Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 766336 (CVE-2021-3185) - <media-libs/gst-plugins-bad-1.16.3: h264parse stack overflow RCE (CVE-2021-3185)
Summary: <media-libs/gst-plugins-bad-1.16.3: h264parse stack overflow RCE (CVE-2021-3185)
Status: IN_PROGRESS
Alias: CVE-2021-3185
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://marc.info/?l=oss-security&m=1...
Whiteboard: A2 [glsa? cve]
Keywords:
: 767187 (view as bug list)
Depends on:
Blocks: 765163
  Show dependency tree
 
Reported: 2021-01-21 00:04 UTC by Hank Leininger
Modified: 2021-02-20 10:17 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2021-01-21 00:04:33 UTC
"During a source code audit, Theori discovered a stack buffer overflow
in the h264parse module which is part of gstreamer-plugins-bad 1.x.
The vulnerable code path can be triggered when gstreamer parses any
attacker-controlled H.264 content. This flaw could lead to remote code
execution."

1.16.3 includes the fix.
Comment 1 Sam James archtester gentoo-dev Security 2021-01-21 00:06:41 UTC
Thanks for the report, beat me to it.

(We use fixed versions within Gentoo in the summary.)
Comment 2 Hank Leininger 2021-01-21 00:47:34 UTC
(In reply to Sam James from comment #1)
> Thanks for the report, beat me to it.
> 
> (We use fixed versions within Gentoo in the summary.)

Thanks! Doh, I meant to <, not <=. 1.16.3 is indeed fixed.
Comment 3 Sam James archtester gentoo-dev Security 2021-01-25 20:10:32 UTC
*** Bug 767187 has been marked as a duplicate of this bug. ***
Comment 4 Sam James archtester gentoo-dev Security 2021-02-14 02:09:14 UTC
ppc64 done
Comment 5 Sam James archtester gentoo-dev Security 2021-02-14 02:12:06 UTC
x86 done
Comment 6 Sam James archtester gentoo-dev Security 2021-02-14 14:50:21 UTC
amd64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-02-15 04:03:09 UTC
ppc done
Comment 8 Sam James archtester gentoo-dev Security 2021-02-17 13:53:15 UTC
arm64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-02-18 08:45:39 UTC
arm done

all arches done
Comment 10 John Helmert III gentoo-dev Security 2021-02-19 01:33:35 UTC
Please cleanup