diff --git a/security-advisories/alert-template.md b/security-advisories/alert-template.md new file mode 100644 index 0000000000..d9d3452f7a --- /dev/null +++ b/security-advisories/alert-template.md @@ -0,0 +1,41 @@ +# Security Advisory 2024-XXXX + +
+ +| | | +| ----------------- | ----------------------------------------- | +| Summary | Example summary | +| Date | 2024-04-10 10:00 | +| Affected Versions | GStreamer gst-plugins-XYZ | +| IDs | GStreamer-SA-2024-XXXX
CVE-2024-XXXX | + +
+ +## Details + +## Impact + +## Threat mitigation + +## Workarounds + +## Solution + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2024-XXXX](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-XXXX) + +### GStreamer 1.XX.X release + +- [Release Notes](/releases/1.XX/#1.XX.X) +- [GStreamer Plugins XYZ 1.XX.X](/src/gst-plugins-XYZ/gst-plugins-XYZ-1.XX.X.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/XXXX.patch) diff --git a/security-advisories/sa-2016-0001.md b/security-advisories/sa-2016-0001.md new file mode 100644 index 0000000000..81df6346c7 --- /dev/null +++ b/security-advisories/sa-2016-0001.md @@ -0,0 +1,52 @@ +# Security Advisory 2016-0001 (CVE-2016-9445, CVE-2016-9446) + +
+ +| | | +| ----------------- | --- | +| Summary | Multiple Issues in VMNC decoder | +| Date | 2016-11-17 16:00 | +| Affected Versions | GStreamer gst-plugins-bad 1.10 < 1.10.1
GStreamer gst-plugins-bad 1.x <= 1.8.3 | +| IDs | GStreamer-SA-2016-0001
CVE-2016-9445
CVE-2016-9446 | + +
+ +## Details + +The VMNC decoder in gst-plugins-bad contains an integer overflow vulnerability and a failure to initialize output memory. + +## Impact + +If successful, a malicious third party could trigger either a crash in an application decoding a VMNC video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak. + +## Mitigation + +Exploitation requires the user to access a VMNC stream or file. + +## Workarounds + +The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the VMNC decoder plugin by removing the plugin binary file libgstvmnc.so or libgstvmnc.dll. + +## Solution + +The gst-plugins-bad 1.10.1 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile, or disable the VMNC plugin. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2016-9445](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9445) +- [CVE-2016-9446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9446) + +### GStreamer Bugzilla Entry + +- [Bug 774533](https://bugzilla.gnome.org/show_bug.cgi?id=774533) + +### GStreamer Patches + +- [Patch](https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe) +- [Patch 2](https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=807e23118b6b6d99e61b5e2055c4bc82a444b008) diff --git a/security-advisories/sa-2016-0002.md b/security-advisories/sa-2016-0002.md new file mode 100644 index 0000000000..b0d359ec87 --- /dev/null +++ b/security-advisories/sa-2016-0002.md @@ -0,0 +1,58 @@ +# Security Advisory 2016-0002 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807) + +
+ +| | | +| ----------------- | --- | +| Summary | Multiple Issues in FLC/FLI/FLX Decoder | +| Date | 2016-11-23 03:00 | +| Affected Versions | GStreamer gst-plugins-bad 1.10 < 1.10.2
GStreamer gst-plugins-bad 1.x <= 1.8.3 | +| IDs | GStreamer-SA-2016-0002
CVE-2016-9634
CVE-2016-9635
CVE-2016-9636
CVE-2016-9807 | + +
+ +## Details + +The decoder for the FLC/FLI/FLX animation video formats in gst-plugins-good contains various out-of-bounds writes and reads and fails to initialize output frame memory. + +## Impact + +If successful, a malicious third party could trigger either a crash in an application decoding a FLC/FLI/FLX video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak. + +## Threat Mitigation + +Exploitation requires the user to access an FLC/FLI/FLX stream or file. + +## Workarounds + +The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the FLC/FLI/FLX decoder plugin by removing the plugin binary file libgstflxdec.so or libgstflxdec.dll. + +## Solution + +The gst-plugins-bad 1.10.2 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile or disable the FLC/FLI/FLX plugin. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2016-9634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9634) +- [CVE-2016-9635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9635) +- [CVE-2016-9636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9636) +- [CVE-2016-9807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9807) + +### GStreamer Bugzilla Entries + +- [Bug 774834](https://bugzilla.gnome.org/show_bug.cgi?id=774834) +- [Bug 774859](https://bugzilla.gnome.org/show_bug.cgi?id=774859) + +### GStreamer Patches + +- [Patch 1](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac) +- [Patch 2](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2) +- [Patch 3](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9) +- [Patch 4](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff) +- [Patch 5](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=96aaf889afe90b5e02ec756af5c6c7000d2cc424) diff --git a/security-advisories/sa-2019-0001.md b/security-advisories/sa-2019-0001.md new file mode 100644 index 0000000000..c1662cecda --- /dev/null +++ b/security-advisories/sa-2019-0001.md @@ -0,0 +1,51 @@ +# Security Advisory 2019-0001 (CVE-2019-9928) + +
+ +| | | +| ----------------- | --- | +| Summary | Buffer overflow in RTSP parsing | +| Date | 2019-04-22 00:30 | +| Affected Versions | GStreamer gst-plugins-bad | +| IDs | GStreamer-SA-2019-0001
CVE-2019-9928 | + +
+ +## Details + +GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server. + +## Impact + +The potential exists for a malicious server to trigger remote code execution in a connecting client. + +## Threat mitigation + +Exploitation requires the user to access a malicious RTSP server. + +## Workarounds + +The user should refrain from opening RTSP streams from untrusted third parties + +## Solution + +The gst-plugins-base 1.16.0 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2019-9928](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9928) + +### GStreamer 1.16.0 release + +- [Release Notes](/releases/1.16/) +- [GStreamer Plugins Base 1.16.0](/src/gst-plugins-base/gst-plugins-base-1.16.0.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/merge_requests/157) diff --git a/security-advisories/sa-2021-0001.md b/security-advisories/sa-2021-0001.md new file mode 100644 index 0000000000..8ac3897e2e --- /dev/null +++ b/security-advisories/sa-2021-0001.md @@ -0,0 +1,39 @@ +# Security Advisory 2021-0001 (CVE-2021-3522) + +
+ +| | | +| ----------------- | --- | +| Summary | Out-of-bounds read in ID3v2 tag parsing | +| Date | 2021-03-15 16:00 | +| Affected Versions | GStreamer gst-plugins-base 1.x <= 1.18.3, 0.10.36 | +| IDs | GStreamer-SA-2021-0001
CVE-2021-3522 | + +
+ +## Details + +GStreamer before 1.18.4 might do an out-of-bounds read when handling certain ID3v2 tags. + +## Impact + +It might be possible for a malicious third party to trigger a crash in the application. + +## Solution + +The gst-plugins-base 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### GStreamer 1.18.4 release + +- [Release Notes](/releases/1.18/#1.18.4) +- [GStreamer Plugins Base 1.18.4](/src/gst-plugins-base/gst-plugins-base-1.18.4.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/8a88e5c1db05ebadfd4569955f6f47c23cdca3c4?merge_request_iid=1066) diff --git a/security-advisories/sa-2021-0002.md b/security-advisories/sa-2021-0002.md new file mode 100644 index 0000000000..598ac0221e --- /dev/null +++ b/security-advisories/sa-2021-0002.md @@ -0,0 +1,43 @@ +# Security Advisory 2021-0002 (CVE-2021-3497) + +
+ +| | | +| ----------------- | --- | +| Summary | Use-after-free in matroska demuxing | +| Date | 2021-03-15 16:00 | +| Affected Versions | GStreamer gst-plugins-good 1.x <= 1.18.3, 0.10.x > 0.10.8 | +| IDs | GStreamer-SA-2021-0002
CVE-2021-3497 | + +
+ +## Details + +GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files. + +## Impact + +It might be possible for a malicious third party to trigger a crash in the application, but possibly also an arbitrary code execution with the privileges of the target user. + +## Solution + +The gst-plugins-good 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2021-3497](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497) + +### GStreamer 1.18.4 release + +- [Release Notes](/releases/1.18/#1.18.4) +- [GStreamer Plugins Good 1.18.4](/src/gst-plugins-good/gst-plugins-good-1.18.4.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_id=903) diff --git a/security-advisories/sa-2021-0003.md b/security-advisories/sa-2021-0003.md new file mode 100644 index 0000000000..713406e65f --- /dev/null +++ b/security-advisories/sa-2021-0003.md @@ -0,0 +1,43 @@ +# Security Advisory 2021-0003 (CVE-2021-3498) + +
+ +| | | +| ----------------- | --- | +| Summary | Heap corruption in matroska demuxing | +| Date | 2021-03-15 16:00 | +| Affected Versions | GStreamer gst-plugins-good 1.x <= 1.18.3 | +| IDs | GStreamer-SA-2021-0003
CVE-2021-3498 | + +
+ +## Details + +GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files. + +## Impact + +It might be possible for a malicious third party to trigger a crash in the application, but possibly also an arbitrary code execution with the privileges of the target user. + +## Solution + +The gst-plugins-good 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2021-3498](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3498) + +### GStreamer 1.18.4 release + +- [Release Notes](/releases/1.18/#1.18.4) +- [GStreamer Plugins Good 1.18.4](/src/gst-plugins-good/gst-plugins-good-1.18.4.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903) diff --git a/security-advisories/sa-2021-0004.md b/security-advisories/sa-2021-0004.md new file mode 100644 index 0000000000..18a4c72c4a --- /dev/null +++ b/security-advisories/sa-2021-0004.md @@ -0,0 +1,39 @@ +# Security Advisory 2021-0004 + +
+ +| | | +| ----------------- | --- | +| Summary | Out-of-bounds read in realmedia demuxing | +| Date | 2021-03-15 16:00 | +| Affected Versions | GStreamer gst-plugins-ugly 1.x <= 1.18.3 | +| ID | GStreamer-SA-2021-0004 | + +
+ +## Details + +GStreamer before 1.18.4 might do an out-of-bounds read when handling certain RealMedia files or streams. + +## Impact + +It might be possible for a malicious third party to trigger a crash in the application. + +## Solution + +The gst-plugins-ugly 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### GStreamer 1.18.4 release + +- [Release Notes](/releases/1.18/#1.18.4) +- [GStreamer Plugins Ugly 1.18.4](/src/gst-plugins-ugly/gst-plugins-ugly-1.18.4.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/9726aaf78e6643a5955864f444852423de58de29?merge_request_iid=75) diff --git a/security-advisories/sa-2021-0005.md b/security-advisories/sa-2021-0005.md new file mode 100644 index 0000000000..482c155617 --- /dev/null +++ b/security-advisories/sa-2021-0005.md @@ -0,0 +1,39 @@ +# Security Advisory 2021-0005 + +
+ +| | | +| ----------------- | --- | +| Summary | Stack overflow in gst\_ffmpeg\_channel\_layout\_to\_gst() | +| Date | 2021-03-15 16:00 | +| Affected Versions | GStreamer gst-libav 1.x <= 1.18.3 | +| ID | GStreamer-SA-2021-0005 | + +
+ +## Details + +GStreamer before 1.18.4 might cause stack corruptions with streams that have more than 64 audio channels. + +## Impact + +It might be possible for a malicious third party to trigger a crash in the application. + +## Solution + +The gst-libav 1.18.4 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### GStreamer 1.18.4 release + +- [Release Notes](/releases/1.18/#1.18.4) +- [GStreamer plugin for the FFmpeg libav* libraries 1.18.4](/src/gst-libav/gst-libav-1.18.4.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gst-libav/-/commit/a339f8f9641382b92b43e6d146bdc5d87a9704f8?merge_request_iid=121) diff --git a/security-advisories/sa-2022-0001.md b/security-advisories/sa-2022-0001.md new file mode 100644 index 0000000000..a3056e9ae5 --- /dev/null +++ b/security-advisories/sa-2022-0001.md @@ -0,0 +1,43 @@ +# Security Advisory 2022-0001 (CVE-2022-1921) + +
+ +| | | +| ----------------- | --- | +| Summary | Heap overwrite in avi demuxing | +| Date | 2022-06-15 23:00 | +| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x | +| IDs | GStreamer-SA-2022-0001
CVE-2022-1921 | + +
+ +## Details + +Heap-based buffer overflow in the avi demuxer when handling certain AVI files in GStreamer versions before 1.20.3. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2022-1921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1921) + +### GStreamer 1.20.3 release + +- [Release Notes](/releases/1.20/#1.20.3) +- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0.patch) diff --git a/security-advisories/sa-2022-0002.md b/security-advisories/sa-2022-0002.md new file mode 100644 index 0000000000..899396b38b --- /dev/null +++ b/security-advisories/sa-2022-0002.md @@ -0,0 +1,46 @@ +# Security Advisory 2022-0002 (CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925) + +
+ +| | | +| ----------------- | --- | +| Summary | Potential heap overwrite in mkv demuxing using zlib/bz2/lzo decompression | +| Date | 2022-06-15 23:00 | +| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x | +| IDs | GStreamer-SA-2022-0002
CVE-2022-1922
CVE-2022-1923
CVE-2022-1924
CVE-2022-1925 | + +
+ +## Details + +Potential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also overwrite data on the heap. + +## Solution + +The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2022-1922](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1922) +- [CVE-2022-1923](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1923) +- [CVE-2022-1924](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1924) +- [CVE-2022-1925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1925) + +### GStreamer 1.20.3 release + +- [Release Notes](/releases/1.20/#1.20.3) +- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966.patch) diff --git a/security-advisories/sa-2022-0003.md b/security-advisories/sa-2022-0003.md new file mode 100644 index 0000000000..22e7625a79 --- /dev/null +++ b/security-advisories/sa-2022-0003.md @@ -0,0 +1,43 @@ +# Security Advisory 2022-0003 (CVE-2022-2122) + +
+ +| | | +| ----------------- | --- | +| Summary | Potential heap overwrite in mp4 demuxing using zlib decompression | +| Date | 2022-06-15 23:00 | +| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x | +| IDs | GStreamer-SA-2022-0003
CVE-2022-2122 | + +
+ +## Details + +Potential heap overwrite in the qt demuxer when handling certain QuickTime/MP4 files in GStreamer versions before 1.20.3. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also overwrite data on the heap. + +## Solution + +The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2022-2122](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2122) + +### GStreamer 1.20.3 release + +- [Release Notes](/releases/1.20/#1.20.3) +- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz) + +### Patches + +- [Patch 1](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774.patch) diff --git a/security-advisories/sa-2022-0004.md b/security-advisories/sa-2022-0004.md new file mode 100644 index 0000000000..165d25a546 --- /dev/null +++ b/security-advisories/sa-2022-0004.md @@ -0,0 +1,43 @@ +# Security Advisory 2022-0004 (CVE-2022-1920) + +
+ +| | | +| ----------------- | --- | +| Summary | Potential heap overwrite in gst\_matroska\_demux\_add\_wvpk\_header | +| Date | 2022-06-15 23:00 | +| Affected Versions | GStreamer gst-plugins-good 1.x < 1.20.3, 0.10.x | +| IDs | GStreamer-SA-2022-0004
CVE-2022-1920 | + +
+ +## Details + +Potential heap overwrite in the mkv demuxer when handling certain Matroska files in GStreamer versions before 1.20.3. + +## Impact + +It is possible for a malicious third party to overwrite data on the heap, and possibly even effect code execution. + +## Solution + +The gst-plugins-good 1.20.3 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2022-1920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1920) + +### GStreamer 1.20.3 release + +- [Release Notes](/releases/1.20/#1.20.3) +- [GStreamer Plugins Good 1.20.3](/src/gst-plugins-good/gst-plugins-good-1.20.3.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/cf887f1b8e228bff6e19829e6d03995d70ad739d.patch) diff --git a/security-advisories/sa-2023-0001.md b/security-advisories/sa-2023-0001.md new file mode 100644 index 0000000000..2f2ea2ca0d --- /dev/null +++ b/security-advisories/sa-2023-0001.md @@ -0,0 +1,48 @@ +# Security Advisory 2023-0001 (ZDI-CAN-20775, CVE-2023-37327) + +
+ +| | | +| ----------------- | --- | +| Summary | Integer overflow leading to heap overwrite in FLAC image tag handling | +| Date | 2023-06-20 18:00 | +| Affected Versions | GStreamer gst-plugins-good 1.x < 1.22.4, 1.x < 1.20.7, 0.10.x | +| IDs | GStreamer-SA-2023-0001
ZDI-CAN-20775
CVE-2023-37327 | + +
+ +## Details + +Heap-based buffer overflow in the FLAC parser when handling malformed image tags in GStreamer versions before 1.22.4 / 1.20.7. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-good 1.22.4 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-37327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37327) + +### GStreamer 1.22.4 release + +- [Release Notes](/releases/1.22/#1.22.4) +- [GStreamer Plugins Good 1.22.4](/src/gst-plugins-good/gst-plugins-good-1.22.4.tar.xz) + +### GStreamer 1.20.7 release + +- [Release Notes](/releases/1.20/#1.20.7) +- [GStreamer Plugins Good 1.20.7](/src/gst-plugins-good/gst-plugins-good-1.20.7.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch) diff --git a/security-advisories/sa-2023-0002.md b/security-advisories/sa-2023-0002.md new file mode 100644 index 0000000000..48048da1cd --- /dev/null +++ b/security-advisories/sa-2023-0002.md @@ -0,0 +1,48 @@ +# Security Advisory 2023-0002 (ZDI-CAN-20968, CVE-2023-37328) + +
+ +| | | +| ----------------- | --- | +| Summary | Heap overwrite in subtitle parsing | +| Date | 2023-06-20 18:00 | +| Affected Versions | GStreamer gst-plugins-base 1.x < 1.22.4, 1.x < 1.20.7, 0.10.x | +| IDs | GStreamer-SA-2023-0002
ZDI-CAN-20968
CVE-2023-37328 | + +
+ +## Details + +Heap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-base 1.22.4 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-37328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37328) + +### GStreamer 1.22.4 release + +- [Release Notes](/releases/1.22/#1.22.4) +- [GStreamer Plugins Base 1.22.4](/src/gst-plugins-base/gst-plugins-base-1.22.4.tar.xz) + +### GStreamer 1.20.7 release + +- [Release Notes](/releases/1.20/#1.20.7) +- [GStreamer Plugins Base 1.20.7](/src/gst-plugins-base/gst-plugins-base-1.20.7.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895.patch) diff --git a/security-advisories/sa-2023-0003.md b/security-advisories/sa-2023-0003.md new file mode 100644 index 0000000000..3c31cc582e --- /dev/null +++ b/security-advisories/sa-2023-0003.md @@ -0,0 +1,48 @@ +# Security Advisory 2023-0003 (ZDI-CAN-20994, CVE-2023-37329) + +
+ +| | | +| ----------------- | --- | +| Summary | Heap overwrite in PGS subtitle overlay decoder | +| Date | 2023-06-20 18:00 | +| Affected Versions | GStreamer gst-plugins-bad 1.x < 1.22.4, 1.x < 1.20.7, 0.10.x | +| IDs | GStreamer-SA-2023-0003
ZDI-CAN-20994
CVE-2023-37329 | + +
+ +## Details + +Heap-based buffer overflow in the PGS blu-ray subtitle decoder when handling certain files in GStreamer versions before 1.22.4 / 1.20.7. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-bad 1.22.4 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-37329](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37329) + +### GStreamer 1.22.4 release + +- [Release Notes](/releases/1.22/#1.22.4) +- [GStreamer Plugins Bad 1.22.4](/src/gst-plugins-bad/gst-plugins-bad-1.22.4.tar.xz) + +### GStreamer 1.20.7 release + +- [Release Notes](/releases/1.20/#1.20.7) +- [GStreamer Plugins Bad 1.20.7](/src/gst-plugins-bad/gst-plugins-bad-1.20.7.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896.patch) diff --git a/security-advisories/sa-2023-0004.md b/security-advisories/sa-2023-0004.md new file mode 100644 index 0000000000..2b853dd6c8 --- /dev/null +++ b/security-advisories/sa-2023-0004.md @@ -0,0 +1,44 @@ +# Security Advisory 2023-0004 (ZDI-CAN-21443) + +
+ +| | | +| ----------------- | --- | +| Summary | Integer overflow leading to heap overwrite in RealMedia file handling | +| Date | 2023-07-20 14:00 | +| Affected Versions | GStreamer gst-plugins-ugly 1.x < 1.22.5, 1.x < 1.20.7, 0.10.x | +| IDs | GStreamer-SA-2023-0004
ZDI-CAN-21443 | + +
+ +## Details + +Heap-based buffer overflow in the RealMedia file demuxer when handling malformed files in GStreamer versions before 1.22.5 / 1.20.7. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-ugly 1.22.5 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### GStreamer 1.22.5 release + +- [Release Notes](/releases/1.22/#1.22.5) +- [GStreamer Plugins Ugly 1.22.5](/src/gst-plugins-ugly/gst-plugins-ugly-1.22.5.tar.xz) + +### GStreamer 1.20.7 release + +- [Release Notes](/releases/1.20/#1.20.7) +- [GStreamer Plugins Ugly 1.20.7](/src/gst-plugins-ugly/gst-plugins-ugly-1.20.7.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072.patch) diff --git a/security-advisories/sa-2023-0005.md b/security-advisories/sa-2023-0005.md new file mode 100644 index 0000000000..fa3ed70672 --- /dev/null +++ b/security-advisories/sa-2023-0005.md @@ -0,0 +1,44 @@ +# Security Advisory 2023-0005 (ZDI-CAN-21444) + +
+ +| | | +| ----------------- | --- | +| Summary | Integer overflow leading to heap overwrite in RealMedia file handling | +| Date | 2023-07-20 14:00 | +| Affected Versions | GStreamer gst-plugins-ugly 1.x < 1.22.5, 1.x < 1.20.7, 0.10.x | +| IDs | GStreamer-SA-2023-0005
ZDI-CAN-21444 | + +
+ +## Details + +Heap-based buffer overflow in the RealMedia file demuxer when handling malformed files in GStreamer versions before 1.22.5 / 1.20.7. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-ugly 1.22.5 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### GStreamer 1.22.5 release + +- [Release Notes](/releases/1.22/#1.22.5) +- [GStreamer Plugins Ugly 1.22.5](/src/gst-plugins-ugly/gst-plugins-ugly-1.22.5.tar.xz) + +### GStreamer 1.20.7 release + +- [Release Notes](/releases/1.20/#1.20.7) +- [GStreamer Plugins Ugly 1.20.7](/src/gst-plugins-ugly/gst-plugins-ugly-1.20.7.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072.patch) diff --git a/security-advisories/sa-2023-0006.md b/security-advisories/sa-2023-0006.md new file mode 100644 index 0000000000..97dc44ead2 --- /dev/null +++ b/security-advisories/sa-2023-0006.md @@ -0,0 +1,43 @@ +# Security Advisory 2023-0006 (ZDI-CAN-21660, CVE-2023-40474) + +
+ +| | | +| ----------------- | --- | +| Summary | Integer overflow leading to heap overwrite in MXF file handling with uncompressed video | +| Date | 2023-09-20 20:00 | +| Affected Versions | GStreamer gst-plugins-bad < 1.22.6 | +| IDs | GStreamer-SA-2023-0006
ZDI-CAN-21660
CVE-2023-40474 | + +
+ +## Details + +Heap-based buffer overflow in the MXF file demuxer when handling malformed files with uncompressed video in GStreamer versions before 1.22.6 + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-bad 1.22.6 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-40474](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40474) + +### GStreamer 1.22.6 release + +- [Release Notes](/releases/1.22/#1.22.6) +- [GStreamer Plugins Bad 1.22.6](/src/gst-plugins-bad/gst-plugins-bad-1.22.6.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch) (includes patch for SA-2023-0007 / ZDI-CAN-21661 / CVE-2023-40475) diff --git a/security-advisories/sa-2023-0007.md b/security-advisories/sa-2023-0007.md new file mode 100644 index 0000000000..ec85278d54 --- /dev/null +++ b/security-advisories/sa-2023-0007.md @@ -0,0 +1,43 @@ +# Security Advisory 2023-0007 (ZDI-CAN-21661, CVE-2023-40475) + +
+ +| | | +| ----------------- | --- | +| Summary | Integer overflow leading to heap overwrite in MXF file handling with AES3 audio | +| Date | 2023-09-20 20:00 | +| Affected Versions | GStreamer gst-plugins-bad < 1.22.6 | +| IDs | GStreamer-SA-2023-0007
ZDI-CAN-21661
CVE-2023-40475 | + +
+ +## Details + +Heap-based buffer overflow in the MXF file demuxer when handling malformed files with AES3 audio in GStreamer versions before 1.22.6 + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-bad 1.22.6 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-40475](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40475) + +### GStreamer 1.22.6 release + +- [Release Notes](/releases/1.22/#1.22.6) +- [GStreamer Plugins Bad 1.22.6](/src/gst-plugins-bad/gst-plugins-bad-1.22.6.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362.patch) (includes patch for SA-2023-0006 / ZDI-CAN-21660 / CVE-2023-40474) diff --git a/security-advisories/sa-2023-0008.md b/security-advisories/sa-2023-0008.md new file mode 100644 index 0000000000..d4cddc48e2 --- /dev/null +++ b/security-advisories/sa-2023-0008.md @@ -0,0 +1,43 @@ +# Security Advisory 2023-0008 (ZDI-CAN-21768, CVE-2023-40476) + +
+ +| | | +| ----------------- | --- | +| Summary | Integer overflow in H.265 video parser leading to stack overwrite | +| Date | 2023-09-20 20:00 | +| Affected Versions | GStreamer gst-plugins-bad < 1.22.6 | +| IDs | GStreamer-SA-2023-0008
ZDI-CAN-21768
CVE-2023-40476 | + +
+ +## Details + +Stack-based buffer overflow in the H.265 video parser when handling malformed H.265 video streams in GStreamer versions before 1.22.6 + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through stack manipulation. + +## Solution + +The gst-plugins-bad 1.22.6 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-40476](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40476) + +### GStreamer 1.22.6 release + +- [Release Notes](/releases/1.22/#1.22.6) +- [GStreamer Plugins Bad 1.22.6](/src/gst-plugins-bad/gst-plugins-bad-1.22.6.tar.xz) + +### Patches + +- [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364.patch) diff --git a/security-advisories/sa-2023-0009.md b/security-advisories/sa-2023-0009.md new file mode 100644 index 0000000000..6f65f234f2 --- /dev/null +++ b/security-advisories/sa-2023-0009.md @@ -0,0 +1,43 @@ +# Security Advisory 2023-0009 (ZDI-CAN-22226, CVE-2023-44429) + +
+ +| | | +| ----------------- | --- | +| Summary | AV1 codec parser buffer overflow | +| Date | 2023-11-13 12:00 | +| Affected Versions | GStreamer gst-plugins-bad < 1.22.7 | +| IDs | GStreamer-SA-2023-0009
ZDI-CAN-22226
CVE-2023-44429 | + +
+ +## Details + +Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.7 + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-bad 1.22.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-44429](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44429) + +### GStreamer 1.22.7 release + +- [Release Notes](/releases/1.22/#1.22.7) +- [GStreamer Plugins Bad 1.22.7](/src/gst-plugins-bad/gst-plugins-bad-1.22.7.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634.patch) diff --git a/security-advisories/sa-2023-0010.md b/security-advisories/sa-2023-0010.md new file mode 100644 index 0000000000..efb8956beb --- /dev/null +++ b/security-advisories/sa-2023-0010.md @@ -0,0 +1,43 @@ +# Security Advisory 2023-0010 (ZDI-CAN-22299, CVE-2023-44446) + +
+ +| | | +| ----------------- | --- | +| Summary | MXF demuxer use-after-free | +| Date | 2023-11-13 12:00 | +| Affected Versions | GStreamer gst-plugins-bad < 1.22.7 | +| IDs | GStreamer-SA-2023-0010
ZDI-CAN-22299
CVE-2023-44446 | + +
+ +## Details + +Use-after-free (read) in the MXF demuxer when handling certain files before GStreamer 1.22.7 + +## Impact + +It is possible for a malicious third party to trigger a crash in the application. + +## Solution + +The gst-plugins-bad 1.22.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2023-44446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44446) + +### GStreamer 1.22.7 release + +- [Release Notes](/releases/1.22/#1.22.7) +- [GStreamer Plugins Bad 1.22.7](/src/gst-plugins-bad/gst-plugins-bad-1.22.7.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635.patch) diff --git a/security-advisories/sa-2023-0011.md b/security-advisories/sa-2023-0011.md new file mode 100644 index 0000000000..6b55040531 --- /dev/null +++ b/security-advisories/sa-2023-0011.md @@ -0,0 +1,38 @@ +# Security Advisory 2023-0011 (ZDI-CAN-22300) + +
+ +| | | +| ----------------- | --- | +| Summary | AV1 codec parser buffer overflow | +| Date | 2023-12-18 14:00 | +| Affected Versions | GStreamer gst-plugins-bad < 1.22.8 | +| IDs | GStreamer-SA-2023-0011
ZDI-CAN-22300
CVE-2023-50186 | + +
+ +## Details + +Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.8 + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-bad 1.22.8 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### GStreamer 1.22.8 release + +- [Release Notes](/releases/1.22/#1.22.8) +- [GStreamer Plugins Bad 1.22.8](/src/gst-plugins-bad/gst-plugins-bad-1.22.8.tar.xz) + +### Patches +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823.patch) diff --git a/security-advisories/sa-2024-0001.md b/security-advisories/sa-2024-0001.md new file mode 100644 index 0000000000..b376f606e0 --- /dev/null +++ b/security-advisories/sa-2024-0001.md @@ -0,0 +1,45 @@ +# Security Advisory 2024-0001 (ZDI-CAN-22873, CVE-2024-0444) + +
+ +| | | +| ----------------- | --- | +| Summary | AV1 codec parser potential buffer overflow during tile list parsing | +| Date | 2024-01-24 20:00 | +| Affected Versions | GStreamer gst-plugins-bad < 1.22.9 | +| IDs | GStreamer-SA-2024-0001
ZDI-CAN-22873
CVE-2024-0444 | + +
+ +## Details + +Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.9. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, +and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-bad 1.22.9 releases address the issue. +People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2024-0444](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0444) + +### GStreamer 1.22.9 release + +- [Release notes](/releases/1.22/#1.22.9) +- [GStreamer Plugins Bad 1.22.9](/src/gst-plugins-bad/gst-plugins-bad-1.22.9.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5970.patch) diff --git a/security-advisories/sa-2024-0002.md b/security-advisories/sa-2024-0002.md new file mode 100644 index 0000000000..5c2a5be8c3 --- /dev/null +++ b/security-advisories/sa-2024-0002.md @@ -0,0 +1,52 @@ +# Security Advisory 2024-0002 (ZDI-CAN-23896, CVE-2024-4453) + +
+ +| | | +| ----------------- | --- | +| Summary | Integer overflow in EXIF metadata parser leading to potential heap overwrite | +| Date | 2024-04-29 20:00 | +| Affected Versions | GStreamer gst-plugins-base < 1.24.3, gst-plugins-base < 1.22.12 | +| IDs | GStreamer-SA-2024-0002
ZDI-CAN-23896
CVE-2024-4453 | + +
+ +## Details + +Heap-based buffer overflow in the EXIF image tag parser when handling certain malformed streams before GStreamer 1.24.3 or 1.22.12. + +## Impact + +It is possible for a malicious third party to trigger a crash in the application, +and possibly also effect code execution through heap manipulation. + +## Solution + +The gst-plugins-base 1.24.3 and 1.22.12 releases address the issue. +People using older branches of GStreamer should apply the patch and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2024-4453](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4453) + +### GStreamer releases + +#### 1.24 (current stable) + +- [GStreamer 1.24.3 release notes](/releases/1.24/#1.24.3) +- [GStreamer Plugins Base 1.24.3](/src/gst-plugins-base/gst-plugins-base-1.24.3.tar.xz) + +#### 1.22 (old stable) + +- [GStreamer 1.22.12 release notes](/releases/1.22/#1.22.12) +- [GStreamer Plugins Base 1.22.12](/src/gst-plugins-base/gst-plugins-base-1.22.12.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766.patch) diff --git a/security-advisories/sa-2024-0003.md b/security-advisories/sa-2024-0003.md new file mode 100644 index 0000000000..bdf04a6729 --- /dev/null +++ b/security-advisories/sa-2024-0003.md @@ -0,0 +1,50 @@ +# Security Advisory 2024-0003 (JVN#02030803, JPCERT#92912620, CVE-2024-40897) + +
+ +| | | +| ----------------- | --- | +| Summary | Orc compiler stack-based buffer overflow | +| Date | 2024-07-19 12:30 | +| Affected Versions | orc < 0.4.39 | +| IDs | GStreamer-SA-2024-0003
JVN#02030803 / JPCERT#92912620
CVE-2024-40897 | + +
+ +## Details + +Stack-based buffer overflow in the Orc compiler when formatting error messages for certain input files. + +## Impact + +It is possible for a malicious third party to trigger a buffer overflow and +effect code execution with the same privileges as the orc compiler is called +with by feeding it with malformed orc source files. + +This only affects developers and CI environments using orcc, not users of liborc. + +## Solution + +The Orc 0.4.39 release address the issue. +People using older branches of Orc should apply the patches and recompile. + +## References + +### The GStreamer project + +- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) + +### CVE Database Entries + +- [CVE-2024-40897](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40897) + +### GStreamer Orc releases + +#### 0.4.39 + +- [Orc 0.4.39 release notes](https://discourse.gstreamer.org/t/orc-0-4-39-release/1969) +- [Orc 0.4.39 tarball (.tar.xz)](/src/orc/orc-0.4.39.tar.xz) + +### Patches + +- [Patch](https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191.patch)