CVE-2024-47613

Опубликовано: 11 дек. 2024

Источник: redhat

CVSS3: 6.5

Описание

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in gst_gdk_pixbuf_dec_flush within gstgdkpixbufdec.c. This function invokes memcpy, using out_pix as the destination address. out_pix is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to memcpy to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.

A flaw was found in the gdk-pixbuf decoder in the GStreamer library. Processing a specially crafted input file can cause a NULL pointer dereference due to an unchecked return value, resulting in an application crash and a denial of service.

Отчет

To exploit this flaw, an attacker needs to trick a user into opening or processing a specially crafted file with the gdk-pixbuf decoder. As user interaction is required to trigger is issue and the impact is limited to an application crash, this flaw has been rated with a Moderate severity.

Меры по смягчению последствий

Do not process untrusted files with the gdk-pixbuf decoder and monitor application crashes as this may indicate exploitation attempts.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 10	gstreamer1-plugins-good	Affected
Red Hat Enterprise Linux 7 Extended Lifecycle Support	gstreamer1-plugins-base	Fixed	RHSA-2024:11344	18.12.2024
Red Hat Enterprise Linux 7 Extended Lifecycle Support	gstreamer1-plugins-good	Fixed	RHSA-2024:11344	18.12.2024
Red Hat Enterprise Linux 8	gstreamer1-plugins-good	Fixed	RHSA-2024:11299	17.12.2024
Red Hat Enterprise Linux 8.2 Advanced Update Support	gstreamer1-plugins-good	Fixed	RHSA-2024:11148	18.12.2024
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	gstreamer1-plugins-good	Fixed	RHSA-2024:11346	18.12.2024
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	gstreamer1-plugins-good	Fixed	RHSA-2024:11346	18.12.2024
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	gstreamer1-plugins-good	Fixed	RHSA-2024:11346	18.12.2024
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	gstreamer1-plugins-good	Fixed	RHSA-2024:11149	18.12.2024
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	gstreamer1-plugins-good	Fixed	RHSA-2024:11149	18.12.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-476

https://bugzilla.redhat.com/show_bug.cgi?id=2331753gstreamer1-plugins-good: null pointer dereference in gst_gdk_pixbuf_dec_flush

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2024-47613

CVSS3: 9.8

ubuntu

6 месяцев назад

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.