CVE-2024-47540 – GHSL-2024-197: GStreamer uses uninitialized stack memory in Matroska/WebM demuxer
https://notcve.org/view.php?id=CVE-2024-47540
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch https://gstreamer.freedesktop.org/security/sa-2024-0017.html https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer https://access.redhat.com/security/cve/CVE-2024-47540 https://bugzilla.redhat.com/show_bug.cgi?id=2331719 • CWE-457: Use of Uninitialized Variable •
CVE-2024-47539 – GHSL-2024-195: GStreamer has an OOB-write in convert_to_s334_1a
https://notcve.org/view.php?id=CVE-2024-47539
GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch https://gstreamer.freedesktop.org/security/sa-2024-0007.html https://securitylab.github.com/advisories/GHSL-2024-195_Gstreamer https://access.redhat.com/security/cve/CVE-2024-47539 https://bugzilla.redhat.com/show_bug.cgi?id=2331726 • CWE-787: Out-of-bounds Write •
CVE-2024-47538 – GHSL-2024-115: GStreamer has a stack-buffer overflow in vorbis_handle_identification_packet
https://notcve.org/view.php?id=CVE-2024-47538
GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This vulnerability allows to overwrite the EIP address allocated in the stack. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8035.patch https://gstreamer.freedesktop.org/security/sa-2024-0022.html https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer https://access.redhat.com/security/cve/CVE-2024-47538 https://bugzilla.redhat.com/show_bug.cgi?id=2331727 • CWE-121: Stack-based Buffer Overflow •
CVE-2024-47537 – GHSL-2024-094: GStreamer has an OOB-write in isomp4/qtdemux.c
https://notcve.org/view.php?id=CVE-2024-47537
GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch https://gstreamer.freedesktop.org/security/sa-2024-0005.html https://securitylab.github.com/advisories/GHSL-2024-094_Gstreamer https://access.redhat.com/security/cve/CVE-2024-47537 https://bugzilla.redhat.com/show_bug.cgi?id=2331722 • CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVE-2023-38103 – GStreamer RealMedia File Parsing Integer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38103
GStreamer RealMedia File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MDPR chunks. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://gitlab.freedesktop.org/gstreamer/gstreamer/uploads/d4a0aa4ec2165f6c418703b9e1459d8b/0002-rmdemux-Check-for-integer-overflow-when-calculation-.patch https://www.zerodayinitiative.com/advisories/ZDI-23-1007 • CWE-190: Integer Overflow or Wraparound •