oss-sec mailing list archives
Re: CVE Request: gstreamer plugins
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 19 Nov 2016 11:59:32 +0100
Hi, On Fri, 18 Nov 2016 17:31:19 +0100 Marcus Meissner <meissner () suse de> wrote:
1. Bufferoverflow in VMNC decoder in gstreamer plugins: https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
I wanted to point out that while it's good the buffer overflow gets fixed, that's by far not the major issue here. This is a very problematic design decision with the functionality of tracker/GNOME that exposes all files on a system to who knows how many decoders of probably overall very low quality. Almost certainly there are countless other vulnerabilities of similar kind in all kinds of gstreamer codecs. (and I haven't checked, but I assume tracker also exposes other files to other equally problematic decoders) I think this is kinda a symptom of two goals clashing: We have projects like gstreamer that attempt to parse every file format ever seen in their are - which of course has some value, especially in terms of preserving digital culture. But on the other hand exposing this code to untrusted inputs is a security disaster. I'm wondering if there is any statement or reaction from either gnome or fedora on this. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- CVE Request: gstreamer plugins Marcus Meissner (Nov 18)
- Re: CVE Request: gstreamer plugins cve-assign (Nov 18)
- Re: CVE Request: gstreamer plugins Hanno Böck (Nov 19)
- Re: CVE Request: gstreamer plugins Alex Gaynor (Nov 22)
- Re: CVE Request: gstreamer plugins cve-assign (Nov 23)
- Re: CVE Request: gstreamer plugins Alex Gaynor (Nov 22)