gstreamer/security-advisories/sa-2016-0002.md

# Security Advisory 2016-0002 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807)

<div class="vertical-table">

|                   |     |
| ----------------- | --- |
| Summary           | Multiple Issues in FLC/FLI/FLX Decoder |
| Date              | 2016-11-23 03:00 |
| Affected Versions | GStreamer gst-plugins-bad 1.10 < 1.10.2<br/>GStreamer gst-plugins-bad 1.x <= 1.8.3 |
| IDs               | GStreamer-SA-2016-0002<br/>CVE-2016-9634<br/>CVE-2016-9635<br/>CVE-2016-9636<br/>CVE-2016-9807 |

</div>

## Details

The decoder for the FLC/FLI/FLX animation video formats in gst-plugins-good contains various out-of-bounds writes and reads and fails to initialize output frame memory.

## Impact

If successful, a malicious third party could trigger either a crash in an application decoding a FLC/FLI/FLX video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak.

## Threat Mitigation

Exploitation requires the user to access an FLC/FLI/FLX stream or file.

## Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the FLC/FLI/FLX decoder plugin by removing the plugin binary file libgstflxdec.so or libgstflxdec.dll.

## Solution

The gst-plugins-bad 1.10.2 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile or disable the FLC/FLI/FLX plugin.

## References

### The GStreamer project

- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)

### CVE Database Entries

- [CVE-2016-9634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9634)
- [CVE-2016-9635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9635)
- [CVE-2016-9636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9636)
- [CVE-2016-9807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9807)

### GStreamer Bugzilla Entries

- [Bug 774834](https://bugzilla.gnome.org/show_bug.cgi?id=774834)
- [Bug 774859](https://bugzilla.gnome.org/show_bug.cgi?id=774859)

### GStreamer Patches

- [Patch 1](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac)
- [Patch 2](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2)
- [Patch 3](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9)
- [Patch 4](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff)
- [Patch 5](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=96aaf889afe90b5e02ec756af5c6c7000d2cc424)
security-advisories: import from www module Ship these also as part of the monorepo, so we can prepare new advisories as part of the relevant merge requests in the private gstreamer-security repository. Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7610> 2024-10-03 16:03:52 +00:00			`# Security Advisory 2016-0002 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807)`

			`<div class="vertical-table">`

			`\| \| \|`
			`\| ----------------- \| --- \|`
			`\| Summary \| Multiple Issues in FLC/FLI/FLX Decoder \|`
			`\| Date \| 2016-11-23 03:00 \|`
			`\| Affected Versions \| GStreamer gst-plugins-bad 1.10 < 1.10.2<br/>GStreamer gst-plugins-bad 1.x <= 1.8.3 \|`
			`\| IDs \| GStreamer-SA-2016-0002<br/>CVE-2016-9634<br/>CVE-2016-9635<br/>CVE-2016-9636<br/>CVE-2016-9807 \|`

			`</div>`

			`## Details`

			`The decoder for the FLC/FLI/FLX animation video formats in gst-plugins-good contains various out-of-bounds writes and reads and fails to initialize output frame memory.`

			`## Impact`

			`If successful, a malicious third party could trigger either a crash in an application decoding a FLC/FLI/FLX video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak.`

			`## Threat Mitigation`

			`Exploitation requires the user to access an FLC/FLI/FLX stream or file.`

			`## Workarounds`

			`The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the FLC/FLI/FLX decoder plugin by removing the plugin binary file libgstflxdec.so or libgstflxdec.dll.`

			`## Solution`

			`The gst-plugins-bad 1.10.2 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile or disable the FLC/FLI/FLX plugin.`

			`## References`

			`### The GStreamer project`

			`- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)`

			`### CVE Database Entries`

			`- [CVE-2016-9634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9634)`
			`- [CVE-2016-9635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9635)`
			`- [CVE-2016-9636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9636)`
			`- [CVE-2016-9807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9807)`

			`### GStreamer Bugzilla Entries`

			`- [Bug 774834](https://bugzilla.gnome.org/show_bug.cgi?id=774834)`
			`- [Bug 774859](https://bugzilla.gnome.org/show_bug.cgi?id=774859)`

			`### GStreamer Patches`

			`- [Patch 1](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac)`
			`- [Patch 2](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2)`
			`- [Patch 3](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9)`
			`- [Patch 4](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff)`
			`- [Patch 5](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=96aaf889afe90b5e02ec756af5c6c7000d2cc424)`