Security Advisory 2024-0014 (GHSL-2024-166, CVE-2024-47606)
|
|
Summary |
Integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes |
Date |
2024-12-03 20:00 |
Affected Versions |
GStreamer core < 1.24.10, gst-plugins-good < 1.24.10 |
IDs |
GStreamer-SA-2024-0014 GHSL-2024-166 CVE-2024-47606 |
Details
Integer overflow in the MP4/MOV demuxer and memory allocator that can lead to
out-of-bounds writes and that can cause crashes for certain input files.
Impact
It is possible for a malicious third party to trigger out-of-bounds writes that
can result in a crash of the application, or potentially possibly also allow
code execution through heap manipulation.
Solution
The GStreamer core and gst-plugins-good 1.24.10 release addresses the issue.
People using older branches of GStreamer should apply the patch and recompile.
References
The GStreamer project
CVE Database Entries
GStreamer releases
1.24 (current stable)
Patches