Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Dec 2016 11:24:59 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: gstreamer multiple issues

Hi,

After the blogposts from Chris Evans about gstreamer insecurities I had
a look.

https://bugzilla.gnome.org/show_bug.cgi?id=774859
Invalid memory read in flx_decode_chunks (gst-plugins-good)
The fix is a larger rewrite of the affected code paths and probably
fixed a bunch of other issues on the way. It also fixes the second flic
bug reported by Chris Evans described here:
https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-incorrect-fix-for-gstreamer.html

https://bugzilla.gnome.org/show_bug.cgi?id=774896
h264: one byte heap off by one read in gst_h264_parse_set_caps
(gst-plugins-bad)

https://bugzilla.gnome.org/show_bug.cgi?id=774897
Invalid memory read in glib caused by one invalid unref call in the
flxdec decoder. (gst-plugins-good)

https://bugzilla.gnome.org/show_bug.cgi?id=774902
4 byte heap out of bounds read in windows_icon_typefind
(gst-plugins-base)

https://bugzilla.gnome.org/show_bug.cgi?id=775048
2 byte heap out of bounds read in gst_mpegts_section_new
(gst-plugins-bad).

https://bugzilla.gnome.org/show_bug.cgi?id=775120
null pointer deref (segfault) in mpegts decoder / _parse_pat
(gst-plugins-bad)

A note about the memory access bugs: glib's slice allocator can hide
them, so finding them with asan sometimes only works if one sets
G_SLICE=always-malloc


Stuff that's probably not security relevant:

Asserts / traps only:

https://bugzilla.gnome.org/show_bug.cgi?id=775130
h264 decoder assert (gst-plugins-bad)

https://bugzilla.gnome.org/show_bug.cgi?id=775219
avidemux trap on invalid utf-8



The gstreamer devs were very quick in fixing all issues. The release
1.10.2 should contain all the fixes.
https://gstreamer.freedesktop.org/releases/gstreamer/1.10.2.html


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ