CVE-2024-47545

12.12.2024, 02:03

GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10.

Wrap or Wraparound

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Vendor	Product	Version
gstreamer_project	gstreamer	𝑥 < 1.24.10

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

gst-plugins-good1.0

bullseye	vulnerable
bullseye (security)	1.18.4-2+deb11u3 fixed
bookworm	1.22.0-5+deb12u2 fixed
bookworm (security)	1.22.0-5+deb12u2 fixed
sid	1.26.1-1 fixed
trixie	1.26.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

gst-plugins-good0.10

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	needs-triage

gst-plugins-good1.0

plucky	not-affected
oracular	Fixed 1.24.8-1ubuntu1.1 released
noble	Fixed 1.24.2-1ubuntu1.1 released
jammy	Fixed 1.20.3-0ubuntu1.3 released
focal	Fixed 1.16.3-0ubuntu1.3 released
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-191 - Integer Underflow (Wrap or Wraparound)
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch

https://gstreamer.freedesktop.org/security/sa-2024-0010.html

https://securitylab.github.com/advisories/GHSL-2024-242_Gstreamer/