CVE-2024-47775 – GHSL-2024-261: GStreamer has an OOB-read in parse_ds64
https://notcve.org/view.php?id=CVE-2024-47775
GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042.patch https://gstreamer.freedesktop.org/security/sa-2024-0027.html https://securitylab.github.com/advisories/GHSL-2024-261_Gstreamer • CWE-125: Out-of-bounds Read •
CVE-2024-47774 – GHSL-2024-262: GStreamer has an OOB-read in gst_avi_subtitle_parse_gab2_chunk
https://notcve.org/view.php?id=CVE-2024-47774
GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. • https://github.com/github/securitylab-vulnerabilities/issues/1826 https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043.patch https://securitylab.github.com/advisories/GHSL-2024-262_Gstreamer • CWE-125: Out-of-bounds Read •
CVE-2024-47613 – GHSL-2024-118: GStreamer has a null pointer dereference in gst_gdk_pixbuf_dec_flush
https://notcve.org/view.php?id=CVE-2024-47613
GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041.patch https://gstreamer.freedesktop.org/security/sa-2024-0025.html https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer https://access.redhat.com/security/cve/CVE-2024-47613 https://bugzilla.redhat.com/show_bug.cgi?id=2331753 • CWE-476: NULL Pointer Dereference •
CVE-2024-47615 – GHSL-2024-117: GStreamer has an out-of-bounds write in Ogg demuxer
https://notcve.org/view.php?id=CVE-2024-47615
GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038.patch https://gstreamer.freedesktop.org/security/sa-2024-0026.html https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer https://access.redhat.com/security/cve/CVE-2024-47615 https://bugzilla.redhat.com/show_bug.cgi?id=2331740 • CWE-787: Out-of-bounds Write •
CVE-2024-47607 – GHSL-2024-116: Stack-buffer overflow in gst_opus_dec_parse_header
https://notcve.org/view.php?id=CVE-2024-47607
GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch https://gstreamer.freedesktop.org/security/sa-2024-0024.html https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer https://access.redhat.com/security/cve/CVE-2024-47607 https://bugzilla.redhat.com/show_bug.cgi?id=2331754 • CWE-121: Stack-based Buffer Overflow •