Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260430235948.GA31035@openwall.com>
Date: Fri, 1 May 2026 01:59:48 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: 10+ CVEs in GStreamer

Hi,

I brought a bunch of GStreamer CVEs in here in March.  In April, there
was a new release with more CVEs announced/fixed.  I'd really rather not
be the one to be taking care of this - I guess we have subscribers who
are involved with the project or its packaging?  Anyone, please?

The new release is "1.28.2 stable bug fix release" with website news
item dated "2026-04-07 23:00" and said to include "Various security
fixes" and a lot more (with specifics).  The security fixes are for:

> GStreamer-SA-2026-0023 	Denial of service in SRT/WebVTT parser 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0022
> CVE-2026-pending 	Heap buffer overflow in Matroska demuxer 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0021
> CVE-2026-pending 	Integer overflow in WAV parser cue handling 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0020 	Assertion failures in FLV demuxer on corrupted streams 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0019 	NULL-pointer dereferences in mDVDsub subtitle parser 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0018
> CVE-2026-pending 	MOV/MP4 demuxer audio channel parsing vulnerabilities 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0017 	Integer overflow in H.266/VVC parser leading to stack overflow 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0016
> CVE-2026-5056
> ZDI-CAN-29392 	Integer overflows and out-of-bounds access in MOV/MP4 demuxer 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0015
> CVE-2026-pending 	Integer overflows in JPEG 2000 decimator 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0014 	Integer overflow in AV1 LEB128 parser 	2026-04-07 23:59
> 
> GStreamer-SA-2026-0013 	H.264 video parser NULL pointer dereference when freeing SPS/MVC data 	2026-04-07 23:59

as listed at https://gstreamer.freedesktop.org/security/ along with
links to "Details" for each (which I have no time to extract and process
into this posting).

On Mon, Mar 16, 2026 at 03:58:16AM +0100, Solar Designer wrote:
> The news story at:
> 
> https://www.opennet.me/opennews/art.shtml?num=64964
> 
> originally in Russian explains GStreamer usage as follows, translated to
> English here:
> 
> > The GStreamer library is used to parse multimedia files in Nautilus
> > (GNOME Files), GNOME Videos, and Rhythmbox, as well as in the
> > localsearch search engine (previously known as tracker-miners) developed
> > by the GNOME project. This engine is installed in many distributions as
> > a dependency of the tracker-extract package, which GNOME uses to
> > automatically parse metadata in new files. Among other things, this
> > service indexes all files in the user's home directory without any user
> > interaction. Therefore, to perform an attack, simply create a specially
> > crafted multimedia file in the user's home directory, and the
> > vulnerability will be exploited during its automatic indexing.
> > 
> > In most GNOME distributions, localsearch components (tracker-miners) are
> > enabled by default and loaded as a hard dependency of the Nautilus file
> > manager (GNOME Files). Starting with GNOME 46, the localsearch process
> > runs in sandbox isolation. To disable metadata extraction, you can
> > delete the rules files from the /usr/share/localsearch3/extract-rules/
> > or /usr/share/tracker3-miners/extract-rules/ directory.

I don't know how good or not the mentioned "sandbox isolation" is, I'd
welcome comments on the risks involved and potential further hardening.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.