GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
@gstreamer on Twitter
@gstreamer on Mastodon
#gstreamer on Matrix

Security Advisory 2024-0003 (JVN#02030803, JPCERT#92912620, CVE-2024-40897)

Summary Orc compiler stack-based buffer overflow
Date 2024-07-19 12:30
Affected Versions orc < 0.4.39
IDs GStreamer-SA-2024-0003
JVN#02030803 / JPCERT#92912620
CVE-2024-40897

Details

Stack-based buffer overflow in the Orc compiler when formatting error messages for certain input files.

Impact

It is possible for a malicious third party to trigger a buffer overflow and effect code execution with the same privileges as the orc compiler is called with by feeding it with malformed orc source files.

This only affects developers and CI environments using orcc, not users of liborc.

Solution

The Orc 0.4.39 release address the issue. People using older branches of Orc should apply the patches and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer Orc releases

0.4.39

Patches


Report a problem on this page.