src/htdocs/security/sa-2023-0002.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

<?xml-stylesheet href="advisory-detail.xsl" type="text/xsl"?>
<!DOCTYPE xsl:stylesheet
[
  <!ENTITY % site-entities SYSTEM "../entities.site">
  %site-entities;
]>
<advisory>
<id>2023-0002</id>
<alternate-name>ZDI-CAN-20968</alternate-name>
<alternate-name>CVE-2023-37328</alternate-name>
<date>2023-06-20 18:00</date>
<summary>Heap overwrite in subtitle parsing</summary>
<affected-versions>GStreamer gst-plugins-base 1.x &lt; 1.22.4, 1.x &lt; 1.20.7, 0.10.x</affected-versions>

<details>Heap-based buffer overflow in the subparse subtitle parser when handling certain SRT subtitle files in GStreamer versions before 1.22.4 / 1.20.7.</details>
<impact>It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.</impact>
<mitigation></mitigation>
<workarounds></workarounds>
<solution></solution>
<solution>The gst-plugins-base 1.22.4 / 1.20.7 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.</solution>
<references>
    <reference>
        <title>The GStreamer project</title>
        <content> <a href="https://gstreamer.freedesktop.org">https://gstreamer.freedesktop.org</a></content>
    </reference>
    <reference>
    <title>CVE Database Entries</title>
    <content> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37328">CVE-2023-37328</a>  </content>
    </reference>
    <reference>
        <title>GStreamer 1.22.4 release</title>
        <content>
          <a href="https://gstreamer.freedesktop.org/releases/1.22/#1.22.4">Release Notes</a>
          <a href="https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-1.22.4.tar.xz">GStreamer Plugins Base 1.22.4</a>
        </content>
    </reference>
    <reference>
        <title>GStreamer 1.20.7 release</title>
        <content>
          <a href="https://gstreamer.freedesktop.org/releases/1.20/#1.20.7">Release Notes</a>
          <a href="https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-1.20.7.tar.xz">GStreamer Plugins Base 1.20.7</a>
        </content>
    </reference>
    <reference>
        <title>Patches</title>
        <content>
          <a href="https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895.patch">Patches</a></content>
    </reference>
</references>
</advisory>