blob: 1793b97c2f37d0bc6795b2924b40b1ecf76a103d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
<?xml-stylesheet href="advisory-detail.xsl" type="text/xsl"?>
<!DOCTYPE xsl:stylesheet
[
<!ENTITY % site-entities SYSTEM "../entities.site">
%site-entities;
]>
<advisory>
<id>2024-0001</id>
<alternate-name>ZDI-CAN-22873</alternate-name>
<alternate-name>CVE-2024-0444</alternate-name>
<date>2024-01-24 20:00</date>
<summary>AV1 codec parser potential buffer overflow during tile list parsing</summary>
<affected-versions>GStreamer gst-plugins-bad < 1.22.9</affected-versions>
<details>Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.9</details>
<impact>It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.</impact>
<mitigation></mitigation>
<workarounds></workarounds>
<solution></solution>
<solution>The gst-plugins-bad 1.22.9 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.</solution>
<references>
<reference>
<title>The GStreamer project</title>
<content> <a href="https://gstreamer.freedesktop.org">https://gstreamer.freedesktop.org</a></content>
</reference>
<reference>
<title>CVE Database Entries</title>
<content> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0444">CVE-2024-0444</a> </content>
</reference>
<reference>
<title>GStreamer 1.22.9 release</title>
<content>
<a href="https://gstreamer.freedesktop.org/releases/1.22/#1.22.9">Release Notes</a>
<a href="https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-1.22.9.tar.xz">GStreamer Plugins Bad 1.22.9</a>
</content>
</reference>
<reference>
<title>Patches</title>
<content>
<a href="https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5970.patch">Patch</a>
</content>
</reference>
</references>
</advisory>
|
