Security Advisory 2023-0007
(ZDI-CAN-21661)
(CVE-2023-40475)
Summary |
Integer overflow leading to heap overwrite in MXF file handling with AES3 audio |
Date |
2023-09-20 20:00 |
Affected Versions |
GStreamer gst-plugins-bad < 1.22.6 |
ID |
GStreamer-SA-2023-0007 |
|
ZDI-CAN-21661 |
|
CVE-2023-40475 |
|
Details
Heap-based buffer overflow in the MXF file demuxer when handling malformed files with AES3 audio in GStreamer versions before 1.22.6
Impact
It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.
Threat mitigation
Workarounds
Solution
The gst-plugins-bad 1.22.6 releases address the issue. People using older branches of GStreamer should apply the patch and recompile.
References
The GStreamer project
CVE Database Entries
GStreamer 1.22.6 release
Patches
Patches (includes patch for SA-2023-0006 / ZDI-CAN-21660 / CVE-2023-40474)