Security Advisory 2019-0001
|Buffer overflow in RTSP parsing
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server.
The potential exists for a malicious server to trigger remote code execution in a connecting client.
Exploitation requires the user to access a malicious RTSP server.
The user should refrain from opening RTSP streams from untrusted third parties
The gst-plugins-base 1.16.0 release addresses the issue. People using older branches of GStreamer should apply the patch and recompile.
The GStreamer project
CVE Database Entries
GStreamer 1.16.0 release