gstreamer1-plugins-good-1.22.1-3.el9_5
エラータID: AXSA:2024-9484:04
リリース日:
2024/12/24 Tuesday - 21:44
題名:
gstreamer1-plugins-good-1.22.1-3.el9_5
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- GStreamer には、整数オーバーフローとこれに起因したメモリ
領域の範囲外書き込みの問題があるため、ローカルの攻撃者に
より、細工されたファイルの入力を介して、データ破壊、および
サービス拒否攻撃などを可能とする脆弱性が存在します。
(CVE-2024-47537)
- GStreamer の isomp4/qtdemux.c の convert_to_s334_1a()
関数には、メモリ領域の範囲外書き込みの問題があるため、
ローカルの攻撃者により、データ破壊、情報の漏洩、および
サービス拒否攻撃などを可能とする脆弱性が存在します。
(CVE-2024-47539)
- GStreamer の matroska-demux.c の
gst_matroska_demux_add_wvpk_header() 関数には、スタック
領域内の変数の初期化が欠落しているため、ローカルの攻撃者に
より、任意のコードの実行を可能とする脆弱性が存在します。
(CVE-2024-47540)
- GStreamer の qtdemux.c の
qtdemux_parse_theora_extension() 関数には、整数アンダー
フローの問題があるため、ローカルの攻撃者により、細工された
ファイルの入力を介して、任意のコードの実行、メモリ破壊、
およびサービス拒否攻撃などを可能とする脆弱性が存在します。
(CVE-2024-47606)
- GStreamer の gstvorbisdec.c の
vorbis_handle_identification_packet() 関数には、スタック
領域のバッファーオーバーフローの問題があるため、ローカルの
攻撃者により、任意のコードの実行、データ破壊、およびサービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2024-47613)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-47537
GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.
CVE-2024-47539
GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.
CVE-2024-47540
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.
CVE-2024-47606
GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.
CVE-2024-47613
GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.
GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.
追加情報:
N/A
ダウンロード:
SRPMS
- gstreamer1-plugins-good-1.22.1-3.el9_5.src.rpm
MD5: fdcac93cf16ebd1efc952998371e9ad6
SHA-256: 63fbb061eb3a4bde09cdb1ba37fb7c15d96341c4aaab9df46562f9bffb888f04
Size: 2.69 MB
Asianux Server 9 for x86_64
- gstreamer1-plugins-good-1.22.1-3.el9_5.i686.rpm
MD5: 9329f875fdda5f07905e667d20a43ee8
SHA-256: 4cb0b68a9f9d6b465af370e70d8c793e97d857a882b353452cd61d30097f6ad5
Size: 2.49 MB - gstreamer1-plugins-good-1.22.1-3.el9_5.x86_64.rpm
MD5: b7b85bd99c3e2d8fd5c5764bae3d4a63
SHA-256: 6eb2433d2649bb5b71b484ae22021404228c8be11e346a759f4f4c114638d314
Size: 2.39 MB - gstreamer1-plugins-good-gtk-1.22.1-3.el9_5.i686.rpm
MD5: 1480ca6bd4b5359b66c11100ed7b3f93
SHA-256: 9bd44266e374c84443510193aab99ca3bfbc71e01648a8abbd2b6cab3952b8fe
Size: 33.13 kB - gstreamer1-plugins-good-gtk-1.22.1-3.el9_5.x86_64.rpm
MD5: 0c01ec8e172d77fc0478fa4f5887c377
SHA-256: 269ddde8ab851a11847ab3014579e29af2ddafd5091a8ea622917f6fdc16bf06
Size: 31.53 kB
English