oss-sec mailing list archives
Re: CVE Request: gstreamer plugins
From: <cve-assign () mitre org>
Date: Fri, 18 Nov 2016 17:59:40 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Bufferoverflow in VMNC decoder in gstreamer plugins https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe https://bugzilla.gnome.org/show_bug.cgi?id=774533
The vmnc decoder in the gstreamer code base contains a fairly obvious and simple width * height * depth integer overflow in the allocation of the render buffer. From gst-plugins-bad1.0/gst/vmnc/vmncdec.c vmnc_handle_wmvi_rectangle
Use CVE-2016-9445 for the integer overflow.
The render canvas, as allocated in the code snippet quoted way above, is not black filled or otherwise initialized. The call to g_malloc() is just a thin wrapper around malloc(), which does not initialize any returned heap area. Therefore, there's an easy information leak in thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas at all. This could be a problem for anyone using gstreamer in a server environment to provide thumbnailing services.
Use CVE-2016-9446 for the lack of initialization.
Missing bounds check in NSF decoder in gstreamer plugins http://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-compromising-linux-desktop.html
The vulnerability is in libgstnsf.so, an audio decoder present in the gstreamer-0.10 distribution.
1: Lack of checking ROM size when mapping into 6502 memory and bank switching
an out of bounds read
[or] read and write control over the host emulator heap [when combined with] 2: Ability to load or bank switch ROM to writable memory locations
Use CVE-2016-9447 for the entire libgstnsf.so report. The "2" issue is not independently relevant. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYL4d2AAoJEHb/MwWLVhi2MSsP/0H0am8yTwfPZ5wbztUSwgjZ vyCTMEZaqx1s4sOKn5JJt5XNb4YEjVNCU7W5yrSGsdeO4kxxIerCvPTVQd6Y252Q GLD9v6EPFT7CxK7fTTLjzBs6y30iEdbsZyPzHAqWqLma2epM4k9ubrMRuipUnPEW TlEh7Qo0NigqWJSYdtBOLpBCAWfbDjxLVz8qbPs1C5aQ0tqJ/ZG8ArzVs3X1lVZg BqdXGNcLk7kaJRRGXDDBL8uoFViR+QXidfJIJMHALc7sPu1TJ9mSPuxIQZ0OEODj 5Vygr5i1QA8RkWq67oI8JXVxPHDeBJVfC/p9p6Edg1bB7GH4kQDwwsneXA1kl0pu f350Ukjkihqg22S+mMSVwKljlthX5bCjLs1kIwzO956KMGdxUb28PeRJQrrkkxmV 4aNYm0+VYM3Z6OVQOL5KWoftg+d/ivdIlQUrZbbnXrHYgH7nZQZABOx+K16rABui fBr+3FSCs0l21NndFfWLAijCtaNO/AAzuXlVandCnI6tsY1Zlgt+YvqIr242aoQx ogmK8/Tmtv3eO4YN7LoMTm7QHTP8C+23EA07bblDelaodk1UNY8dPMDoRcBnh3Pp PwD55mZnyR/wpdclfc+iQWvOiMWhSbvuifxrpQF6BmjgExeQQX0dPsfloLXSLgy9 C4I8UNpl/tvSEY8uszPu =fjKF -----END PGP SIGNATURE-----
Current thread:
- CVE Request: gstreamer plugins Marcus Meissner (Nov 18)
- Re: CVE Request: gstreamer plugins cve-assign (Nov 18)
- Re: CVE Request: gstreamer plugins Hanno Böck (Nov 19)
- Re: CVE Request: gstreamer plugins Alex Gaynor (Nov 22)
- Re: CVE Request: gstreamer plugins cve-assign (Nov 23)
- Re: CVE Request: gstreamer plugins Alex Gaynor (Nov 22)