# Security Advisory 2023-0005 (ZDI-CAN-21444)
| | | | ----------------- | --- | | Summary | Integer overflow leading to heap overwrite in RealMedia file handling | | Date | 2023-07-20 14:00 | | Affected Versions | GStreamer gst-plugins-ugly 1.x < 1.22.5, 1.x < 1.20.7, 0.10.x | | IDs | GStreamer-SA-2023-0005
ZDI-CAN-21444 |
## Details Heap-based buffer overflow in the RealMedia file demuxer when handling malformed files in GStreamer versions before 1.22.5 / 1.20.7. ## Impact It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation. ## Solution The gst-plugins-ugly 1.22.5 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile. ## References ### The GStreamer project - [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org) ### GStreamer 1.22.5 release - [Release Notes](/releases/1.22/#1.22.5) - [GStreamer Plugins Ugly 1.22.5](/src/gst-plugins-ugly/gst-plugins-ugly-1.22.5.tar.xz) ### GStreamer 1.20.7 release - [Release Notes](/releases/1.20/#1.20.7) - [GStreamer Plugins Ugly 1.20.7](/src/gst-plugins-ugly/gst-plugins-ugly-1.20.7.tar.xz) ### Patches - [Patches](https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072.patch)