Security Advisory 2016-0002
(CVE-2016-9634)
(CVE-2016-9635)
(CVE-2016-9636)
(CVE-2016-9807)
Summary |
Multiple Issues in FLC/FLI/FLX Decoder |
Date |
2016-11-23 03:00 |
Affected Versions |
GStreamer gst-plugins-bad 1.10 < 1.10.2
GStreamer gst-plugins-bad 1.x <= 1.8.3 |
ID |
GStreamer-SA-2016-0002 |
|
CVE-2016-9634 |
|
CVE-2016-9635 |
|
CVE-2016-9636 |
|
CVE-2016-9807 |
|
Details
The decoder for the FLC/FLI/FLX animation video formats in gst-plugins-good contains various out-of-bounds writes and reads and fails to initialise output frame memory
Impact
If successful, a malicious third party could trigger either a crash in an application
decoding a FLC/FLI/FLX video stream, or an arbitrary code execution with the privileges of the target user.
The failure to initialise output memory may result in an information leak.
Threat mitigation
Exploitation requires the user to access a FLC/FLI/FLX stream or file.
Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or
disable the FLC/FLI/FLX decoder plugin by removing the plugin binary file libgstflxdec.so or libgstflxdec.dll
Solution
The gst-plugins-bad 1.10.2 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile, or disable the FLC/FLI/FLX plugin.
References
The GStreamer project
CVE Database Entries
GStreamer Bugzilla Entries
GStreamer Patches