gstreamer1-plugins-bad-free-1.16.1-4.el8

エラータID: AXSA:2024-8316:04

Release date: 
Monday, June 17, 2024 - 19:14
Subject: 
gstreamer1-plugins-bad-free-1.16.1-4.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.

Security Fix(es):

* gstreamer-plugins-bad: Integer overflow leading to heap overwrite in MXF file handling with uncompressed video (CVE-2023-40474)
* gstreamer-plugins-bad: Integer overflow leading to heap overwrite in MXF file handling with AES3 audio (CVE-2023-40475)
* gstreamer-plugins-bad: Integer overflow in H.265 video parser leading to stack overwrite (CVE-2023-40476)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.10 Release Notes linked from the References section.

CVE-2023-40474
GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MXF video files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21660.
CVE-2023-40475
GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MXF video files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21661.
CVE-2023-40476
GStreamer H265 Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H265 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21768.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. gstreamer1-plugins-bad-free-1.16.1-4.el8.src.rpm
    MD5: fff7b0e6267dc9dfb084003b4970380a
    SHA-256: b59aa6de619671443b7902b18d04bf61bbfe04b65741ace2b9ddc379d0fd582f
    Size: 5.03 MB

Asianux Server 8 for x86_64
  1. gstreamer1-plugins-bad-free-1.16.1-4.el8.i686.rpm
    MD5: b80a7197faf631bff8a552c4e3a7dc05
    SHA-256: 21e1a7787049450686404efe3de6b387469a3c49da06014b13b4f0de078b15d9
    Size: 1.91 MB
  2. gstreamer1-plugins-bad-free-1.16.1-4.el8.x86_64.rpm
    MD5: ae667eeb821db7ae1975795193e5aa7d
    SHA-256: 4532e8541ab34438b2e14a490e30166035d550022c4d1370501967ff60667fa8
    Size: 1.83 MB
  3. gstreamer1-plugins-bad-free-devel-1.16.1-4.el8.i686.rpm
    MD5: cfbe33be77929f650299642fb792e13d
    SHA-256: 2e0cc25e0cc6686a8e308916eb91646b6529818d6bc7cf881086219f827ca4da
    Size: 525.24 kB
  4. gstreamer1-plugins-bad-free-devel-1.16.1-4.el8.x86_64.rpm
    MD5: e843d449ec7df938ef8e4e9df6bdfebf
    SHA-256: 8b40163b08dc111c572dfe8e18e4156be4dc24b8718cda26d0165294c2bfe07c
    Size: 525.30 kB