GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
@gstreamer on Twitter
@gstreamer on Mastodon
#gstreamer on Matrix

Security Advisory 2016-0002 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9807)

Summary Multiple Issues in FLC/FLI/FLX Decoder
Date 2016-11-23 03:00
Affected Versions GStreamer gst-plugins-bad 1.10 < 1.10.2
GStreamer gst-plugins-bad 1.x <= 1.8.3
IDs GStreamer-SA-2016-0002
CVE-2016-9634
CVE-2016-9635
CVE-2016-9636
CVE-2016-9807

Details

The decoder for the FLC/FLI/FLX animation video formats in gst-plugins-good contains various out-of-bounds writes and reads and fails to initialize output frame memory.

Impact

If successful, a malicious third party could trigger either a crash in an application decoding a FLC/FLI/FLX video stream or an arbitrary code execution with the privileges of the target user. The failure to initialize output memory may result in an information leak.

Threat Mitigation

Exploitation requires the user to access an FLC/FLI/FLX stream or file.

Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites, or disable the FLC/FLI/FLX decoder plugin by removing the plugin binary file libgstflxdec.so or libgstflxdec.dll.

Solution

The gst-plugins-bad 1.10.2 release addresses the issue. The upcoming gst-plugins-bad 1.8.4 release will also address the issue. People using older branches of GStreamer should apply the patch and recompile or disable the FLC/FLI/FLX plugin.

References

The GStreamer project

CVE Database Entries

GStreamer Bugzilla Entries

GStreamer Patches


Report a problem on this page.