mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-11-21 17:21:13 +00:00
Code Issues 1 Projects Releases Wiki Activity

security-advisories: import from www module

Browse source 
Ship these also as part of the monorepo, so we can prepare
new advisories as part of the relevant merge requests in
the private gstreamer-security repository.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7610>
This commit is contained in:
Tim-Philipp Müller 2024-10-03 17:03:52 +01:00 committed by GStreamer Marge Bot
parent 29063d2ebc
commit 95ca7014c8
27 changed files with 1212 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
security-advisories/alert-template.md Normal file
View file

@ -0,0 +1,41 @@
# Security Advisory 2024-XXXX <!-- (ZDI-CAN-XXXXX, CVE-2024-XXXX) -->
<div class="vertical-table">
| | |
| ----------------- | ----------------------------------------- |
| Summary | Example summary |
| Date | 2024-04-10 10:00 |
| Affected Versions | GStreamer gst-plugins-XYZ |
| IDs | GStreamer-SA-2024-XXXX<br/>CVE-2024-XXXX |
</div>
## Details
## Impact
## Threat mitigation
## Workarounds
## Solution
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2024-XXXX](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-XXXX)
### GStreamer 1.XX.X release
- [Release Notes](/releases/1.XX/#1.XX.X)
- [GStreamer Plugins XYZ 1.XX.X](/src/gst-plugins-XYZ/gst-plugins-XYZ-1.XX.X.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/XXXX.patch)

52
security-advisories/sa-2016-0001.md Normal file
View file

@ -0,0 +1,52 @@
# Security Advisory 2016-0001 (CVE-2016-9445, CVE-2016-9446)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Multiple Issues in VMNC decoder |
| Date | 2016-11-17 16:00 |
| Affected Versions | GStreamer gst-plugins-bad 1.10 < 1.10.1<br/>GStreamer gst-plugins-bad 1.x <= 1.8.3 |
| IDs | GStreamer-SA-2016-0001<br/>CVE-2016-9445<br/>CVE-2016-9446 |
</div>
## Details
The VMNC decoder in gst-plugins-bad contains an integer overflow vulnerability and a failure to initialize output memory.
## Impact
If successful, a malicious third party could trigger either a crash in an application decoding a VMNC video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak.
## Mitigation
Exploitation requires the user to access a VMNC stream or file.
## Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the VMNC decoder plugin by removing the plugin binary file libgstvmnc.so or libgstvmnc.dll.
## Solution
The gst-plugins-bad 1.10.1 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile, or disable the VMNC plugin.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2016-9445](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9445)
- [CVE-2016-9446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9446)
### GStreamer Bugzilla Entry
- [Bug 774533](https://bugzilla.gnome.org/show_bug.cgi?id=774533)
### GStreamer Patches
- [Patch](https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe)
- [Patch 2](https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=807e23118b6b6d99e61b5e2055c4bc82a444b008)

58
security-advisories/sa-2016-0002.md Normal file
View file

@ -0,0 +1,58 @@
# Security Advisory 2016-0002 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Multiple Issues in FLC/FLI/FLX Decoder |
| Date | 2016-11-23 03:00 |
| Affected Versions | GStreamer gst-plugins-bad 1.10 < 1.10.2<br/>GStreamer gst-plugins-bad 1.x <= 1.8.3 |
| IDs | GStreamer-SA-2016-0002<br/>CVE-2016-9634<br/>CVE-2016-9635<br/>CVE-2016-9636<br/>CVE-2016-9807 |
</div>
## Details
The decoder for the FLC/FLI/FLX animation video formats in gst-plugins-good contains various out-of-bounds writes and reads and fails to initialize output frame memory.
## Impact
If successful, a malicious third party could trigger either a crash in an application decoding a FLC/FLI/FLX video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak.
## Threat Mitigation
Exploitation requires the user to access an FLC/FLI/FLX stream or file.
## Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the FLC/FLI/FLX decoder plugin by removing the plugin binary file libgstflxdec.so or libgstflxdec.dll.
## Solution
The gst-plugins-bad 1.10.2 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile or disable the FLC/FLI/FLX plugin.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2016-9634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9634)
- [CVE-2016-9635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9635)
- [CVE-2016-9636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9636)
- [CVE-2016-9807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9807)
### GStreamer Bugzilla Entries
- [Bug 774834](https://bugzilla.gnome.org/show_bug.cgi?id=774834)
- [Bug 774859](https://bugzilla.gnome.org/show_bug.cgi?id=774859)
### GStreamer Patches
- [Patch 1](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac)
- [Patch 2](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2)
- [Patch 3](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9)
- [Patch 4](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff)
- [Patch 5](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=96aaf889afe90b5e02ec756af5c6c7000d2cc424)

51
security-advisories/sa-2019-0001.md Normal file
View file

@ -0,0 +1,51 @@
# Security Advisory 2019-0001 (CVE-2019-9928)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Buffer overflow in RTSP parsing |
| Date | 2019-04-22 00:30 |
| Affected Versions | GStreamer gst-plugins-bad |
| IDs | GStreamer-SA-2019-0001<br/>CVE-2019-9928 |
</div>
## Details
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server.
## Impact
The potential exists for a malicious server to trigger remote code execution in a connecting client.
## Threat mitigation
Exploitation requires the user to access a malicious RTSP server.
## Workarounds
The user should refrain from opening RTSP streams from untrusted third parties
## Solution
The gst-plugins-base 1.16.0 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2019-9928](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9928)
### GStreamer 1.16.0 release
- [Release Notes](/releases/1.16/)
- [GStreamer Plugins Base 1.16.0](/src/gst-plugins-base/gst-plugins-base-1.16.0.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/merge_requests/157)

39
security-advisories/sa-2021-0001.md Normal file
View file

@ -0,0 +1,39 @@
# Security Advisory 2021-0001 (CVE-2021-3522)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Out-of-bounds read in ID3v2 tag parsing |
| Date | 2021-03-15 16:00 |
| Affected Versions | GStreamer gst-plugins-base 1.x <= 1.18.3, 0.10.36 |
| IDs | GStreamer-SA-2021-0001<br/>CVE-2021-3522 |
</div>
## Details
GStreamer before 1.18.4 might do an out-of-bounds read when handling certain ID3v2 tags.
## Impact
It might be possible for a malicious third party to trigger a crash in the application.
## Solution
The gst-plugins-base 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### GStreamer 1.18.4 release
- [Release Notes](/releases/1.18/#1.18.4)
- [GStreamer Plugins Base 1.18.4](/src/gst-plugins-base/gst-plugins-base-1.18.4.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/8a88e5c1db05ebadfd4569955f6f47c23cdca3c4?merge_request_iid=1066)

43
security-advisories/sa-2021-0002.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2021-0002 (CVE-2021-3497)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Use-after-free in matroska demuxing |
| Date | 2021-03-15 16:00 |
| Affected Versions | GStreamer gst-plugins-good 1.x <= 1.18.3, 0.10.x > 0.10.8 |
| IDs | GStreamer-SA-2021-0002<br/>CVE-2021-3497 |
</div>
## Details
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.
## Impact
It might be possible for a malicious third party to trigger a crash in the application, but possibly also an arbitrary code execution with the privileges of the target user.
## Solution
The gst-plugins-good 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2021-3497](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497)
### GStreamer 1.18.4 release
- [Release Notes](/releases/1.18/#1.18.4)
- [GStreamer Plugins Good 1.18.4](/src/gst-plugins-good/gst-plugins-good-1.18.4.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_id=903)

43
security-advisories/sa-2021-0003.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2021-0003 (CVE-2021-3498)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Heap corruption in matroska demuxing |
| Date | 2021-03-15 16:00 |
| Affected Versions | GStreamer gst-plugins-good 1.x <= 1.18.3 |
| IDs | GStreamer-SA-2021-0003<br/>CVE-2021-3498 |
</div>
## Details
GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.
## Impact
It might be possible for a malicious third party to trigger a crash in the application, but possibly also an arbitrary code execution with the privileges of the target user.
## Solution
The gst-plugins-good 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2021-3498](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3498)
### GStreamer 1.18.4 release
- [Release Notes](/releases/1.18/#1.18.4)
- [GStreamer Plugins Good 1.18.4](/src/gst-plugins-good/gst-plugins-good-1.18.4.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903)

39
security-advisories/sa-2021-0004.md Normal file
View file

@ -0,0 +1,39 @@
# Security Advisory 2021-0004
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Out-of-bounds read in realmedia demuxing |
| Date | 2021-03-15 16:00 |
| Affected Versions | GStreamer gst-plugins-ugly 1.x <= 1.18.3 |
| ID | GStreamer-SA-2021-0004 |
</div>
## Details
GStreamer before 1.18.4 might do an out-of-bounds read when handling certain RealMedia files or streams.
## Impact
It might be possible for a malicious third party to trigger a crash in the application.
## Solution
The gst-plugins-ugly 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### GStreamer 1.18.4 release
- [Release Notes](/releases/1.18/#1.18.4)
- [GStreamer Plugins Ugly 1.18.4](/src/gst-plugins-ugly/gst-plugins-ugly-1.18.4.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/9726aaf78e6643a5955864f444852423de58de29?merge_request_iid=75)

39
security-advisories/sa-2021-0005.md Normal file
View file

@ -0,0 +1,39 @@
# Security Advisory 2021-0005
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Stack overflow in gst\_ffmpeg\_channel\_layout\_to\_gst() |
| Date | 2021-03-15 16:00 |
| Affected Versions | GStreamer gst-libav 1.x <= 1.18.3 |
| ID | GStreamer-SA-2021-0005 |
</div>
## Details
GStreamer before 1.18.4 might cause stack corruptions with streams that have more than 64 audio channels.
## Impact
It might be possible for a malicious third party to trigger a crash in the application.
## Solution
The gst-libav 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### GStreamer 1.18.4 release
- [Release Notes](/releases/1.18/#1.18.4)
- [GStreamer plugin for the FFmpeg libav* libraries 1.18.4](/src/gst-libav/gst-libav-1.18.4.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-libav/-/commit/a339f8f9641382b92b43e6d146bdc5d87a9704f8?merge_request_iid=121)

43
security-advisories/sa-2022-0001.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2022-0001 (CVE-2022-1921)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Heap overwrite in avi demuxing |
| Date | 2022-06-15 23:00 |
| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x |
| IDs | GStreamer-SA-2022-0001<br/>CVE-2022-1921 |
</div>
## Details
Heap-based buffer overflow in the avi demuxer when handling certain AVI files in GStreamer versions before 1.20.3.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2022-1921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1921)
### GStreamer 1.20.3 release
- [Release Notes](/releases/1.20/#1.20.3)
- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0.patch)

46
security-advisories/sa-2022-0002.md Normal file
View file

@ -0,0 +1,46 @@
# Security Advisory 2022-0002 (CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Potential heap overwrite in mkv demuxing using zlib/bz2/lzo decompression |
| Date | 2022-06-15 23:00 |
| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x |
| IDs | GStreamer-SA-2022-0002<br/>CVE-2022-1922<br/>CVE-2022-1923<br/>CVE-2022-1924<br/>CVE-2022-1925 |
</div>
## Details
Potential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also overwrite data on the heap.
## Solution
The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2022-1922](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1922)
- [CVE-2022-1923](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1923)
- [CVE-2022-1924](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1924)
- [CVE-2022-1925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1925)
### GStreamer 1.20.3 release
- [Release Notes](/releases/1.20/#1.20.3)
- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966.patch)

43
security-advisories/sa-2022-0003.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2022-0003 (CVE-2022-2122)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Potential heap overwrite in mp4 demuxing using zlib decompression |
| Date | 2022-06-15 23:00 |
| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x |
| IDs | GStreamer-SA-2022-0003<br/>CVE-2022-2122 |
</div>
## Details
Potential heap overwrite in the qt demuxer when handling certain QuickTime/MP4 files in GStreamer versions before 1.20.3.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also overwrite data on the heap.
## Solution
The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2022-2122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2122)
### GStreamer 1.20.3 release
- [Release Notes](/releases/1.20/#1.20.3)
- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz)
### Patches
- [Patch 1](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774.patch)

43
security-advisories/sa-2022-0004.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2022-0004 (CVE-2022-1920)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Potential heap overwrite in gst\_matroska\_demux\_add\_wvpk\_header |
| Date | 2022-06-15 23:00 |
| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x |
| IDs | GStreamer-SA-2022-0004<br/>CVE-2022-1920 |
</div>
## Details
Potential heap overwrite in the mkv demuxer when handling certain Matroska files in GStreamer versions before 1.20.3.
## Impact
It is possible for a malicious third party to overwrite data on the heap, and possibly even effect code execution.
## Solution
The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2022-1920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1920)
### GStreamer 1.20.3 release
- [Release Notes](/releases/1.20/#1.20.3)
- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/cf887f1b8e228bff6e19829e6d03995d70ad739d.patch)

48
security-advisories/sa-2023-0001.md Normal file
View file

@ -0,0 +1,48 @@
# Security Advisory 2023-0001 (ZDI-CAN-20775, CVE-2023-37327)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Integer overflow leading to heap overwrite in FLAC image tag handling |
| Date | 2023-06-20 18:00 |
| Affected Versions | GStreamer gst-plugins-good 1.x < 1.22.4, 1.x < 1.20.7, 0.10.x |
| IDs | GStreamer-SA-2023-0001<br/>ZDI-CAN-20775<br/>CVE-2023-37327 |
</div>
## Details
Heap-based buffer overflow in the FLAC parser when handling malformed image tags in GStreamer versions before 1.22.4 / 1.20.7.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-good 1.22.4 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-37327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37327)
### GStreamer 1.22.4 release
- [Release Notes](/releases/1.22/#1.22.4)
- [GStreamer Plugins Good 1.22.4](/src/gst-plugins-good/gst-plugins-good-1.22.4.tar.xz)
### GStreamer 1.20.7 release
- [Release Notes](/releases/1.20/#1.20.7)
- [GStreamer Plugins Good 1.20.7](/src/gst-plugins-good/gst-plugins-good-1.20.7.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch)

48
security-advisories/sa-2023-0002.md Normal file
View file

@ -0,0 +1,48 @@
# Security Advisory 2023-0002 (ZDI-CAN-20968, CVE-2023-37328)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Heap overwrite in subtitle parsing |
| Date | 2023-06-20 18:00 |
| Affected Versions | GStreamer gst-plugins-base 1.x < 1.22.4, 1.x < 1.20.7, 0.10.x |
| IDs | GStreamer-SA-2023-0002<br/>ZDI-CAN-20968<br/>CVE-2023-37328 |
</div>
## Details
Heap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-base 1.22.4 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-37328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37328)
### GStreamer 1.22.4 release
- [Release Notes](/releases/1.22/#1.22.4)
- [GStreamer Plugins Base 1.22.4](/src/gst-plugins-base/gst-plugins-base-1.22.4.tar.xz)
### GStreamer 1.20.7 release
- [Release Notes](/releases/1.20/#1.20.7)
- [GStreamer Plugins Base 1.20.7](/src/gst-plugins-base/gst-plugins-base-1.20.7.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895.patch)

48
security-advisories/sa-2023-0003.md Normal file
View file

@ -0,0 +1,48 @@
# Security Advisory 2023-0003 (ZDI-CAN-20994, CVE-2023-37329)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Heap overwrite in PGS subtitle overlay decoder |
| Date | 2023-06-20 18:00 |
| Affected Versions | GStreamer gst-plugins-bad 1.x < 1.22.4, 1.x < 1.20.7, 0.10.x |
| IDs | GStreamer-SA-2023-0003<br/>ZDI-CAN-20994<br/>CVE-2023-37329 |
</div>
## Details
Heap-based buffer overflow in the PGS blu-ray subtitle decoder when handling certain files in GStreamer versions before 1.22.4 / 1.20.7.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-bad 1.22.4 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-37329](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37329)
### GStreamer 1.22.4 release
- [Release Notes](/releases/1.22/#1.22.4)
- [GStreamer Plugins Bad 1.22.4](/src/gst-plugins-bad/gst-plugins-bad-1.22.4.tar.xz)
### GStreamer 1.20.7 release
- [Release Notes](/releases/1.20/#1.20.7)
- [GStreamer Plugins Bad 1.20.7](/src/gst-plugins-bad/gst-plugins-bad-1.20.7.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896.patch)

44
security-advisories/sa-2023-0004.md Normal file
View file

@ -0,0 +1,44 @@
# Security Advisory 2023-0004 (ZDI-CAN-21443)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Integer overflow leading to heap overwrite in RealMedia file handling |
| Date | 2023-07-20 14:00 |
| Affected Versions | GStreamer gst-plugins-ugly 1.x < 1.22.5, 1.x < 1.20.7, 0.10.x |
| IDs | GStreamer-SA-2023-0004<br/>ZDI-CAN-21443 |
</div>
## Details
Heap-based buffer overflow in the RealMedia file demuxer when handling malformed files in GStreamer versions before 1.22.5 / 1.20.7.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-ugly 1.22.5 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### GStreamer 1.22.5 release
- [Release Notes](/releases/1.22/#1.22.5)
- [GStreamer Plugins Ugly 1.22.5](/src/gst-plugins-ugly/gst-plugins-ugly-1.22.5.tar.xz)
### GStreamer 1.20.7 release
- [Release Notes](/releases/1.20/#1.20.7)
- [GStreamer Plugins Ugly 1.20.7](/src/gst-plugins-ugly/gst-plugins-ugly-1.20.7.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072.patch)

44
security-advisories/sa-2023-0005.md Normal file
View file

@ -0,0 +1,44 @@
# Security Advisory 2023-0005 (ZDI-CAN-21444)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Integer overflow leading to heap overwrite in RealMedia file handling |
| Date | 2023-07-20 14:00 |
| Affected Versions | GStreamer gst-plugins-ugly 1.x < 1.22.5, 1.x < 1.20.7, 0.10.x |
| IDs | GStreamer-SA-2023-0005<br/>ZDI-CAN-21444 |
</div>
## Details
Heap-based buffer overflow in the RealMedia file demuxer when handling malformed files in GStreamer versions before 1.22.5 / 1.20.7.
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-ugly 1.22.5 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### GStreamer 1.22.5 release
- [Release Notes](/releases/1.22/#1.22.5)
- [GStreamer Plugins Ugly 1.22.5](/src/gst-plugins-ugly/gst-plugins-ugly-1.22.5.tar.xz)
### GStreamer 1.20.7 release
- [Release Notes](/releases/1.20/#1.20.7)
- [GStreamer Plugins Ugly 1.20.7](/src/gst-plugins-ugly/gst-plugins-ugly-1.20.7.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072.patch)

43
security-advisories/sa-2023-0006.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2023-0006 (ZDI-CAN-21660, CVE-2023-40474)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Integer overflow leading to heap overwrite in MXF file handling with uncompressed video |
| Date | 2023-09-20 20:00 |
| Affected Versions | GStreamer gst-plugins-bad < 1.22.6 |
| IDs | GStreamer-SA-2023-0006<br/>ZDI-CAN-21660<br/>CVE-2023-40474 |
</div>
## Details
Heap-based buffer overflow in the MXF file demuxer when handling malformed files with uncompressed video in GStreamer versions before 1.22.6
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-bad 1.22.6 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-40474](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40474)
### GStreamer 1.22.6 release
- [Release Notes](/releases/1.22/#1.22.6)
- [GStreamer Plugins Bad 1.22.6](/src/gst-plugins-bad/gst-plugins-bad-1.22.6.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch) (includes patch for SA-2023-0007 / ZDI-CAN-21661 / CVE-2023-40475)

43
security-advisories/sa-2023-0007.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2023-0007 (ZDI-CAN-21661, CVE-2023-40475)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Integer overflow leading to heap overwrite in MXF file handling with AES3 audio |
| Date | 2023-09-20 20:00 |
| Affected Versions | GStreamer gst-plugins-bad < 1.22.6 |
| IDs | GStreamer-SA-2023-0007<br/>ZDI-CAN-21661<br/>CVE-2023-40475 |
</div>
## Details
Heap-based buffer overflow in the MXF file demuxer when handling malformed files with AES3 audio in GStreamer versions before 1.22.6
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-bad 1.22.6 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-40475](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40475)
### GStreamer 1.22.6 release
- [Release Notes](/releases/1.22/#1.22.6)
- [GStreamer Plugins Bad 1.22.6](/src/gst-plugins-bad/gst-plugins-bad-1.22.6.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch) (includes patch for SA-2023-0006 / ZDI-CAN-21660 / CVE-2023-40474)

43
security-advisories/sa-2023-0008.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2023-0008 (ZDI-CAN-21768, CVE-2023-40476)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Integer overflow in H.265 video parser leading to stack overwrite |
| Date | 2023-09-20 20:00 |
| Affected Versions | GStreamer gst-plugins-bad < 1.22.6 |
| IDs | GStreamer-SA-2023-0008<br/>ZDI-CAN-21768<br/>CVE-2023-40476 |
</div>
## Details
Stack-based buffer overflow in the H.265 video parser when handling malformed H.265 video streams in GStreamer versions before 1.22.6
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through stack manipulation.
## Solution
The gst-plugins-bad 1.22.6 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-40476](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40476)
### GStreamer 1.22.6 release
- [Release Notes](/releases/1.22/#1.22.6)
- [GStreamer Plugins Bad 1.22.6](/src/gst-plugins-bad/gst-plugins-bad-1.22.6.tar.xz)
### Patches
- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364.patch)

43
security-advisories/sa-2023-0009.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2023-0009 (ZDI-CAN-22226, CVE-2023-44429)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | AV1 codec parser buffer overflow |
| Date | 2023-11-13 12:00 |
| Affected Versions | GStreamer gst-plugins-bad < 1.22.7 |
| IDs | GStreamer-SA-2023-0009<br/>ZDI-CAN-22226<br/>CVE-2023-44429 |
</div>
## Details
Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.7
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-bad 1.22.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-44429](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44429)
### GStreamer 1.22.7 release
- [Release Notes](/releases/1.22/#1.22.7)
- [GStreamer Plugins Bad 1.22.7](/src/gst-plugins-bad/gst-plugins-bad-1.22.7.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634.patch)

43
security-advisories/sa-2023-0010.md Normal file
View file

@ -0,0 +1,43 @@
# Security Advisory 2023-0010 (ZDI-CAN-22299, CVE-2023-44446)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | MXF demuxer use-after-free |
| Date | 2023-11-13 12:00 |
| Affected Versions | GStreamer gst-plugins-bad < 1.22.7 |
| IDs | GStreamer-SA-2023-0010<br/>ZDI-CAN-22299<br/>CVE-2023-44446 |
</div>
## Details
Use-after-free (read) in the MXF demuxer when handling certain files before GStreamer 1.22.7
## Impact
It is possible for a malicious third party to trigger a crash in the application.
## Solution
The gst-plugins-bad 1.22.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2023-44446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44446)
### GStreamer 1.22.7 release
- [Release Notes](/releases/1.22/#1.22.7)
- [GStreamer Plugins Bad 1.22.7](/src/gst-plugins-bad/gst-plugins-bad-1.22.7.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635.patch)

38
security-advisories/sa-2023-0011.md Normal file
View file

@ -0,0 +1,38 @@
# Security Advisory 2023-0011 (ZDI-CAN-22300)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | AV1 codec parser buffer overflow |
| Date | 2023-12-18 14:00 |
| Affected Versions | GStreamer gst-plugins-bad < 1.22.8 |
| IDs | GStreamer-SA-2023-0011<br/>ZDI-CAN-22300<br/>CVE-2023-50186 |
</div>
## Details
Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.8
## Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-bad 1.22.8 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### GStreamer 1.22.8 release
- [Release Notes](/releases/1.22/#1.22.8)
- [GStreamer Plugins Bad 1.22.8](/src/gst-plugins-bad/gst-plugins-bad-1.22.8.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823.patch)

45
security-advisories/sa-2024-0001.md Normal file
View file

@ -0,0 +1,45 @@
# Security Advisory 2024-0001 (ZDI-CAN-22873, CVE-2024-0444)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | AV1 codec parser potential buffer overflow during tile list parsing |
| Date | 2024-01-24 20:00 |
| Affected Versions | GStreamer gst-plugins-bad < 1.22.9 |
| IDs | GStreamer-SA-2024-0001<br/>ZDI-CAN-22873<br/>CVE-2024-0444 |
</div>
## Details
Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.9.
## Impact
It is possible for a malicious third party to trigger a crash in the application,
and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-bad 1.22.9 releases address the issue.
People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2024-0444](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0444)
### GStreamer 1.22.9 release
- [Release notes](/releases/1.22/#1.22.9)
- [GStreamer Plugins Bad 1.22.9](/src/gst-plugins-bad/gst-plugins-bad-1.22.9.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5970.patch)

52
security-advisories/sa-2024-0002.md Normal file
View file

@ -0,0 +1,52 @@
# Security Advisory 2024-0002 (ZDI-CAN-23896, CVE-2024-4453)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Integer overflow in EXIF metadata parser leading to potential heap overwrite |
| Date | 2024-04-29 20:00 |
| Affected Versions | GStreamer gst-plugins-base < 1.24.3, gst-plugins-base < 1.22.12 |
| IDs | GStreamer-SA-2024-0002<br/>ZDI-CAN-23896<br/>CVE-2024-4453 |
</div>
## Details
Heap-based buffer overflow in the EXIF image tag parser when handling certain malformed streams before GStreamer 1.24.3 or 1.22.12.
## Impact
It is possible for a malicious third party to trigger a crash in the application,
and possibly also effect code execution through heap manipulation.
## Solution
The gst-plugins-base 1.24.3 and 1.22.12 releases address the issue.
People using older branches of GStreamer should apply the patch and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2024-4453](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4453)
### GStreamer releases
#### 1.24 (current stable)
- [GStreamer 1.24.3 release notes](/releases/1.24/#1.24.3)
- [GStreamer Plugins Base 1.24.3](/src/gst-plugins-base/gst-plugins-base-1.24.3.tar.xz)
#### 1.22 (old stable)
- [GStreamer 1.22.12 release notes](/releases/1.22/#1.22.12)
- [GStreamer Plugins Base 1.22.12](/src/gst-plugins-base/gst-plugins-base-1.22.12.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766.patch)

50
security-advisories/sa-2024-0003.md Normal file
View file

@ -0,0 +1,50 @@
# Security Advisory 2024-0003 (JVN#02030803, JPCERT#92912620, CVE-2024-40897)
<div class="vertical-table">
| | |
| ----------------- | --- |
| Summary | Orc compiler stack-based buffer overflow |
| Date | 2024-07-19 12:30 |
| Affected Versions | orc < 0.4.39 |
| IDs | GStreamer-SA-2024-0003<br/>JVN#02030803 / JPCERT#92912620<br/>CVE-2024-40897 |
</div>
## Details
Stack-based buffer overflow in the Orc compiler when formatting error messages for certain input files.
## Impact
It is possible for a malicious third party to trigger a buffer overflow and
effect code execution with the same privileges as the orc compiler is called
with by feeding it with malformed orc source files.
This only affects developers and CI environments using orcc, not users of liborc.
## Solution
The Orc 0.4.39 release address the issue.
People using older branches of Orc should apply the patches and recompile.
## References
### The GStreamer project
- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)
### CVE Database Entries
- [CVE-2024-40897](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40897)
### GStreamer Orc releases
#### 0.4.39
- [Orc 0.4.39 release notes](https://discourse.gstreamer.org/t/orc-0-4-39-release/1969)
- [Orc 0.4.39 tarball (.tar.xz)](/src/orc/orc-0.4.39.tar.xz)
### Patches
- [Patch](https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191.patch)