Security Advisory 2024-0002 (ZDI-CAN-23896, CVE-2024-4453)
|
|
Summary |
Integer overflow in EXIF metadata parser leading to potential heap overwrite |
Date |
2024-04-29 20:00 |
Affected Versions |
GStreamer gst-plugins-base < 1.24.3, gst-plugins-base < 1.22.12 |
IDs |
GStreamer-SA-2024-0002 ZDI-CAN-23896 CVE-2024-4453 |
Details
Heap-based buffer overflow in the EXIF image tag parser when handling certain malformed streams before GStreamer 1.24.3 or 1.22.12.
Impact
It is possible for a malicious third party to trigger a crash in the application,
and possibly also effect code execution through heap manipulation.
Solution
The gst-plugins-base 1.24.3 and 1.22.12 releases address the issue.
People using older branches of GStreamer should apply the patch and recompile.
References
The GStreamer project
CVE Database Entries
GStreamer releases
1.24 (current stable)
1.22 (old stable)
Patches