Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 859418 (CVE-2022-1920, CVE-2022-1921, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122) - <media-libs/gst-plugins-good-1.20.3: multiple vulnerabilities
Summary: <media-libs/gst-plugins-good-1.20.3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-1920, CVE-2022-1921, CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925, CVE-2022-2122
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://gstreamer.freedesktop.org/sec...
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 855980 867784
Blocks:
  Show dependency tree
 
Reported: 2022-07-19 23:29 UTC by John Helmert III
Modified: 2024-09-22 07:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-19 23:29:20 UTC
CVE-2022-1922:

DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.

CVE-2022-1923:

DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.

CVE-2022-1924:

DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.

CVE-2022-1925:

DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks.

CVE-2022-2122:

DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.

Issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225

Patches: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966

Please bump to 1.20.3.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-19 23:36:53 UTC
Two more.

CVE-2022-1920 (https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226):

Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.

Advisory: https://gstreamer.freedesktop.org/security/sa-2022-0004.html
Issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
Patch: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/cf887f1b8e228bff6e19829e6d03995d70ad739d

CVE-2022-1921 (https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224):

Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.

Advisory: https://gstreamer.freedesktop.org/security/sa-2022-0001.html
Issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
Patch: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-02 11:34:10 UTC
commit 5ad596faf1741d32a5bd30ffdeba25b5e402bbca
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sun Nov 20 18:31:15 2022 +0000

    media-libs/gst-plugins-good: drop 1.20.2
Comment 3 Larry the Git Cow gentoo-dev 2024-09-22 07:13:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=88c3385543c5b80795f92d56df5f5cfb8b0c16a7

commit 88c3385543c5b80795f92d56df5f5cfb8b0c16a7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 07:13:16 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 07:13:35 +0000

    [ GLSA 202409-13 ] gst-plugins-good: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/859418
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-13.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)