https://www.zerodayinitiative.com/advisories/ZDI-CAN-22299 This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MXF video files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. https://www.zerodayinitiative.com/advisories/ZDI-CAN-22226/ This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b76a801f57353b893c344025cac56413140fca6d https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 Both of these vulnerabilities have been fixed in 1.22.7. There is a related version bump bug: https://bugs.gentoo.org/908978
user assisted code execution -> 2?
(In reply to John Helmert III from comment #1) > user assisted code execution -> 2? The impact has been described as follows: https://gstreamer.freedesktop.org/security/sa-2023-0010.html It is possible for a malicious third party to trigger a crash in the application. https://gstreamer.freedesktop.org/security/sa-2023-0009.html It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. Because of that I thought that 4 might be appropriate. Agreed that 2 is correct since these require user assistance
*and may lead to code execution
Sorry for the huge delay. The needed version bumps are in now, but giving it at least a couple days to settled and make sure there are no issues as it was coupled with a huge review of all ebuilds and many eclass changes.
If there's a GLSA, I'd put it together with bug 918095 one
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15881aaf14c79dc8bd18060646ec2d69e556fd07 commit 15881aaf14c79dc8bd18060646ec2d69e556fd07 Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2024-04-30 07:50:05 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2024-04-30 08:23:48 +0000 media-libs/gstreamer: drop 1.20.5, 1.20.6 Bug: https://bugs.gentoo.org/917791 Signed-off-by: Mart Raudsepp <leio@gentoo.org> media-libs/gstreamer/Manifest | 2 - .../files/gstreamer-1.20.5-tests-race.patch | 293 --------------------- media-libs/gstreamer/gstreamer-1.20.5.ebuild | 76 ------ media-libs/gstreamer/gstreamer-1.20.6.ebuild | 72 ----- 4 files changed, 443 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=0715db682a941540ce2f4ccb909d8f446c05e0ce commit 0715db682a941540ce2f4ccb909d8f446c05e0ce Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-06-29 05:46:23 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-06-29 05:46:23 +0000 [ GLSA 202406-06 ] GStreamer, GStreamer Plugins: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/917791 Bug: https://bugs.gentoo.org/918095 Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202406-06.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+)