# Security Advisory 2016-0002 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807)

<div class="vertical-table">

|                   |     |
| ----------------- | --- |
| Summary           | Multiple Issues in FLC/FLI/FLX Decoder |
| Date              | 2016-11-23 03:00 |
| Affected Versions | GStreamer gst-plugins-bad 1.10 < 1.10.2<br/>GStreamer gst-plugins-bad 1.x <= 1.8.3 |
| IDs               | GStreamer-SA-2016-0002<br/>CVE-2016-9634<br/>CVE-2016-9635<br/>CVE-2016-9636<br/>CVE-2016-9807 |

</div>

## Details

The decoder for the FLC/FLI/FLX animation video formats in gst-plugins-good contains various out-of-bounds writes and reads and fails to initialize output frame memory.

## Impact

If successful, a malicious third party could trigger either a crash in an application decoding a FLC/FLI/FLX video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak.

## Threat Mitigation

Exploitation requires the user to access an FLC/FLI/FLX stream or file.

## Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the FLC/FLI/FLX decoder plugin by removing the plugin binary file libgstflxdec.so or libgstflxdec.dll.

## Solution

The gst-plugins-bad 1.10.2 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile or disable the FLC/FLI/FLX plugin.

## References

### The GStreamer project

- [https://gstreamer.freedesktop.org](https://gstreamer.freedesktop.org)

### CVE Database Entries

- [CVE-2016-9634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9634)
- [CVE-2016-9635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9635)
- [CVE-2016-9636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9636)
- [CVE-2016-9807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9807)

### GStreamer Bugzilla Entries

- [Bug 774834](https://bugzilla.gnome.org/show_bug.cgi?id=774834)
- [Bug 774859](https://bugzilla.gnome.org/show_bug.cgi?id=774859)

### GStreamer Patches

- [Patch 1](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac)
- [Patch 2](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2)
- [Patch 3](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=45dcd0b9ccf33ed85cdafeb871a3781f5be57fd9)
- [Patch 4](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff)
- [Patch 5](https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=96aaf889afe90b5e02ec756af5c6c7000d2cc424)