Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918095 (CVE-2023-40474, CVE-2023-40475, CVE-2023-40476, SA-2023-0006, SA-2023-0007, SA-2023-0008, ZDI-CAN-21660, ZDI-CAN-21661, ZDI-CAN-21768) - <media-libs/gst-plugins-bad-1.22.11-r1: multiple vulnerabilities
Summary: <media-libs/gst-plugins-bad-1.22.11-r1: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-40474, CVE-2023-40475, CVE-2023-40476, SA-2023-0006, SA-2023-0007, SA-2023-0008, ZDI-CAN-21660, ZDI-CAN-21661, ZDI-CAN-21768
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 928779
Blocks:
  Show dependency tree
 
Reported: 2023-11-23 18:06 UTC by John Helmert III
Modified: 2024-06-29 05:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 18:06:29 UTC
https://gstreamer.freedesktop.org/security/sa-2023-0006.html reports:
   Details:
   Heap-based buffer overflow in the MXF file demuxer when handling malformed
   files with uncompressed video in GStreamer versions before 1.22.6.

   Impact:
   It is possible for a malicious third party to trigger a crash in the
   application, and possibly also effect code execution through heap
   manipulation.

   Patches:
   https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
   (includes patch for SA-2023-0007 / ZDI-CAN-21661 / CVE-2023-40475)

https://gstreamer.freedesktop.org/security/sa-2023-0007.html reports:
   Details:
   Heap-based buffer overflow in the MXF file demuxer when handling malformed
   files with AES3 audio in GStreamer versions before 1.22.6.

   Impact:
   It is possible for a malicious third party to trigger a crash in the
   application, and possibly also effect code execution through heap
   manipulation.

   Patches:
   https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch
   (includes patch for SA-2023-0006 / ZDI-CAN-21660 / CVE-2023-40474)

https://gstreamer.freedesktop.org/security/sa-2023-0008.html reports:
   Details:
   Stack-based buffer overflow in the H.265 video parser when handling malformed
   H.265 video streams in GStreamer versions before 1.22.6.

   Impact:
   It is possible for a malicious third party to trigger a crash in the
   application, and possibly also effect code execution through stack
   manipulation.

   Patches:
   https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364.patch

Fixes all in 1.22.6. Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2024-04-30 08:28:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=921fdfc2e59cfb6143b33056ca4b215f65be248b

commit 921fdfc2e59cfb6143b33056ca4b215f65be248b
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2024-04-30 07:47:59 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2024-04-30 08:23:47 +0000

    media-libs/gst-plugins-bad: drop 1.20.5-r1, 1.20.6
    
    Bug: https://bugs.gentoo.org/918095
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 media-libs/gst-plugins-bad/Manifest                |   2 -
 .../gst-plugins-bad-1.20.5-r1.ebuild               | 104 ---------------------
 .../gst-plugins-bad/gst-plugins-bad-1.20.6.ebuild  | 104 ---------------------
 3 files changed, 210 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-06-29 05:48:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0715db682a941540ce2f4ccb909d8f446c05e0ce

commit 0715db682a941540ce2f4ccb909d8f446c05e0ce
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-06-29 05:46:23 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-06-29 05:46:23 +0000

    [ GLSA 202406-06 ] GStreamer, GStreamer Plugins: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/917791
    Bug: https://bugs.gentoo.org/918095
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202406-06.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)