gstreamer1-plugins-good-1.16.1-5.el8_10
エラータID: AXSA:2024-9444:03
リリース日:
2024/12/20 Friday - 13:32
題名:
gstreamer1-plugins-good-1.16.1-5.el8_10
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- GStreamer には、整数オーバーフローとこれに起因した
メモリ領域の範囲外書き込みの問題があるため、ローカルの
攻撃者により、細工されたファイルの入力を介して、データ
破壊、およびサービス拒否攻撃などを可能とする脆弱性が存在
します。(CVE-2024-47537)
- GStreamer の
isomp4/qtdemux.c の convert_to_s334_1a() 関数には、
メモリ領域の範囲外書き込みの問題があるため、ローカルの
攻撃者により、データ破壊、情報の漏洩、およびサービス拒否
攻撃などを可能とする脆弱性が存在します。(CVE-2024-47539)
- GStreamer の matroska-demux.c の
gst_matroska_demux_add_wvpk_header() 関数には、スタック
領域内の変数の初期化が欠落しているため、ローカルの攻撃者
により、任意のコードの実行を可能とする脆弱性が
存在します。(CVE-2024-47540)
- GStreamer の qtdemux.c の
qtdemux_parse_theora_extension() 関数には、整数アンダー
フローの問題があるため、ローカルの攻撃者により、細工された
ファイルの入力を介して、任意のコードの実行、メモリ破壊、
およびサービス拒否攻撃などを可能とする脆弱性が存在します。
(CVE-2024-47606)
- GStreamer の gstvorbisdec.c の
vorbis_handle_identification_packet() 関数には、スタック
領域のバッファーオーバーフローの問題があるため、ローカル
の攻撃者により、任意のコードの実行、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2024-47613)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-47537
GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.
CVE-2024-47539
GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.
CVE-2024-47540
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.
CVE-2024-47606
GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.
CVE-2024-47613
GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.
追加情報:
N/A
ダウンロード:
SRPMS
- gstreamer1-plugins-good-1.16.1-5.el8_10.src.rpm
MD5: fb4182ea2eb2f126634c8dcd0fde5e40
SHA-256: 0c8c2f85aa2ed97f23e6e6a1efa112c698fa5597c47885d73793139f4e84ea82
Size: 3.75 MB
Asianux Server 8 for x86_64
- gstreamer1-plugins-good-1.16.1-5.el8_10.i686.rpm
MD5: 31fafbb019bbc0318961742a4bbd7e4a
SHA-256: cd5c27c45458846b572cee9cceb749360ceda0e054a98deafdc0575f5d41ce81
Size: 2.37 MB - gstreamer1-plugins-good-1.16.1-5.el8_10.x86_64.rpm
MD5: e7711623f1ebc0f115d1883a9bd669dc
SHA-256: 8194d36fad5a9ee31a53e8ce17951fb9ebbbdebd0960ed9118a4e5af484ac4f2
Size: 2.29 MB - gstreamer1-plugins-good-gtk-1.16.1-5.el8_10.i686.rpm
MD5: f49196653ccbef14ca18e942d39202b5
SHA-256: e89e551acef693d9fd88dcef378e88435d06bbcab045e2906ac4b87c26dc3d20
Size: 37.65 kB - gstreamer1-plugins-good-gtk-1.16.1-5.el8_10.x86_64.rpm
MD5: 6a01c3448b9cc4913e30fca80d2b5b2a
SHA-256: f92e14d309ed89024a398417539274677f10fcb7ed3be691d1721b1ce8632d50
Size: 36.45 kB
English