Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918095 (CVE-2023-40474, CVE-2023-40475, CVE-2023-40476, SA-2023-0006, SA-2023-0007, SA-2023-0008, ZDI-CAN-21660, ZDI-CAN-21661, ZDI-CAN-21768) - media-libs/gst-plugins-bad: multiple vulnerabilities
Summary: media-libs/gst-plugins-bad: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-40474, CVE-2023-40475, CVE-2023-40476, SA-2023-0006, SA-2023-0007, SA-2023-0008, ZDI-CAN-21660, ZDI-CAN-21661, ZDI-CAN-21768
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-23 18:06 UTC by John Helmert III
Modified: 2023-11-23 18:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 18:06:29 UTC
https://gstreamer.freedesktop.org/security/sa-2023-0006.html reports:
   Details:
   Heap-based buffer overflow in the MXF file demuxer when handling malformed
   files with uncompressed video in GStreamer versions before 1.22.6.

   Impact:
   It is possible for a malicious third party to trigger a crash in the
   application, and possibly also effect code execution through heap
   manipulation.

   Patches:
   https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
   (includes patch for SA-2023-0007 / ZDI-CAN-21661 / CVE-2023-40475)

https://gstreamer.freedesktop.org/security/sa-2023-0007.html reports:
   Details:
   Heap-based buffer overflow in the MXF file demuxer when handling malformed
   files with AES3 audio in GStreamer versions before 1.22.6.

   Impact:
   It is possible for a malicious third party to trigger a crash in the
   application, and possibly also effect code execution through heap
   manipulation.

   Patches:
   https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
   (includes patch for SA-2023-0006 / ZDI-CAN-21660 / CVE-2023-40474)

https://gstreamer.freedesktop.org/security/sa-2023-0008.html reports:
   Details:
   Stack-based buffer overflow in the H.265 video parser when handling malformed
   H.265 video streams in GStreamer versions before 1.22.6.

   Impact:
   It is possible for a malicious third party to trigger a crash in the
   application, and possibly also effect code execution through stack
   manipulation.

   Patches:
   https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364.patch

Fixes all in 1.22.6. Please bump.