Описание
A flaw was found in GStreamer. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. The flaw exists within the handling of palette data in AVI files, where a lack of proper validation of user-supplied data can lead to an integer overflow before writing to memory. An attacker can leverage this integer overflow to execute code in the context of the current process.
Отчет
This is an IMPORTANT vulnerability in GStreamer that allows arbitrary code execution. The flaw occurs due to an integer overflow when processing palette data in specially crafted AVI files. Exploitation requires a user to process a malicious AVI file with an application linked against the GStreamer library.
Меры по смягчению последствий
To mitigate this issue, avoid processing untrusted AVI media files with applications that use the GStreamer library. Users should exercise caution when opening or playing AVI files from unknown or suspicious sources.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | gstreamer1 | Affected | ||
| Red Hat Enterprise Linux 6 | gstreamer | Out of support scope | ||
| Red Hat Enterprise Linux 7 | gstreamer | Affected | ||
| Red Hat Enterprise Linux 7 | gstreamer1 | Affected | ||
| Red Hat Enterprise Linux 8 | gstreamer1 | Affected | ||
| Red Hat Enterprise Linux 8 | mingw-gstreamer1 | Affected | ||
| Red Hat Enterprise Linux 9 | gstreamer1 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerab ...
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
EPSS
7.8 High
CVSS3