CVE-2023-50186: GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
First published: Fri Dec 22 2023(Updated: )
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5583-1 security <a href="https://www.debian.org/security/">https://www.debian.org/security/</a> Moritz Muehlenhoff December 21, 2023 <a href="https://www.debian.org/security/faq">https://www.debian.org/security/faq</a> - ------------------------------------------------------------------------- Package : gst-plugins-bad1.0 CVE ID : not yet available A buffer overflow was discovered in the AV1 video plugin for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. The oldstable distribution (bullseye) is not affected. For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-4+deb12u4. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: <a href="https://security-tracker.debian.org/tracker/gst-plugins-bad1.0">https://security-tracker.debian.org/tracker/gst-plugins-bad1.0</a> Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: <a href="https://www.debian.org/security/">https://www.debian.org/security/</a> Mailing list: debian-security-announce.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWEkCMACgkQEMKTtsN8 TjZOGQ/+P4p0HpeYQLjyb0UwvQ8XuLMd0BHI9AeBXAAvm2apCwIALqqTeMZ86YId XE/QiVqFccIMJ4GiyQyiSZLcS9py9RDLzw/y3pefi8n1gZdfLBJEvJtlYsPV0FD2 /a71aMG2hHqK2ez45mvsLJmGbanBaslC6cbJ5+/Y8psWBDq28VYEp3Zb5HnuHy2U 7lZIpZ1cQeChaE7ef+Qbnep6c8Lxyjf4fyBj2K5PqgsFuxqwCzzkPQDDA6A5AAUI DsdA27iTthBAOKjFJvh3TPuEdnFtMZghsYo0YU8OoJl47/gJhx36gFFivyudWYKN IHxOVbyNsmAphUDfwUyJUxKKbcFgx59AvTNSD2v2N7ulehYIN3GWjRgLtm30HX45 fPMhzoVQJHTBLmqtUviKc9pJPPV4bctt82p5iuCQ8DZHHImtYsJQbbBzzpjtv9DA zXRp/XyJoZwCLuIvwvcc0kYMo0E7CkGFHWfMJvVFmAkokc4N1bw3F/PEolhrlXwE Kx25Zif6HlX2QR7ReADL/fe9JdJqGYjLkq9KXHteg4VLpBx6cB+6Wcie76ONeA5C MWzancxEwMN2gSXymwB7gAtA3dKA2Dct34Gm0rdnRVR2Iafy4YyaIVbszUvHX5XB LHTHg0UNz7plbefH3kPBVCCz/G/AwHeK0DNusO8HNIwQAVZyV60m0j -----END PGP SIGNATURE-----
Credit: zdi-disclosures@trendmicro.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GStreamer | <1.22.8 | |
| GStreamer |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.zerodayinitiative.com/advisories/ZDI-24-368/
- https://gstreamer.freedesktop.org/security/sa-2023-0011.html
- https://www.debian.org/security/
- https://www.debian.org/security/faq
- https://security-tracker.debian.org/tracker/gst-plugins-bad1.0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2255640
- https://access.redhat.com/errata/RHSA-2024:2287
- https://bugzilla.redhat.com/show_bug.cgi?id=2255639
- agent/first-publish-date
- agent/title
- agent/type
- agent/description
- agent/author
- agent/event
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-50186
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/softwarecombine
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-24-368
- alias/ZDI-CAN-22300
- vendor/gstreamer project
- canonical/gstreamer
- vendor/gstreamer