CVE-2024-40897: Buffer Overflow
First published: Fri Jul 26 2024(Updated: )
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.
Credit: vultures@jpcert.or.jp vultures@jpcert.or.jp
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/orc | <1:0.4.31-1ubuntu0.1 | 1:0.4.31-1ubuntu0.1 |
| ubuntu/orc | <1:0.4.32-2ubuntu0.1 | 1:0.4.32-2ubuntu0.1 |
| ubuntu/orc | <1:0.4.38-1ubuntu0.1 | 1:0.4.38-1ubuntu0.1 |
| ubuntu/orc | <1:0.4.39-1 | 1:0.4.39-1 |
| Gstreamer Orc | <0.4.39 | |
| debian/orc | <=1:0.4.32-1<=1:0.4.33-2 | 1:0.4.39-3 |
Remedy
https://gitlab.freedesktop.org/gstreamer/orc/-/commit/fb7db9ae3e8ac271651d1884a3611d30bac04a98
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/GStreamer/orc
- https://gstreamer.freedesktop.org/modules/orc.html
- https://jvn.jp/en/jp/JVN02030803/
- http://www.openwall.com/lists/oss-security/2024/07/26/1
- https://www.cve.org/CVERecord?id=CVE-2024-40897
- https://gstreamer.freedesktop.org/security/sa-2024-0003.html
- https://ubuntu.com/security/notices/USN-6964-1
- https://nvd.nist.gov/vuln/detail/CVE-2024-40897
- https://launchpad.net/bugs/cve/CVE-2024-40897
- https://security-tracker.debian.org/tracker/CVE-2024-40897
- https://gitlab.freedesktop.org/gstreamer/orc/-/merge_requests/191
- https://gitlab.freedesktop.org/gstreamer/orc/-/commit/fb7db9ae3e8ac271651d1884a3611d30bac04a98
- https://ubuntu.com/security/CVE-2024-40897
- https://access.redhat.com/errata/RHSA-2024:5306
- https://access.redhat.com/errata/RHSA-2024:5629
- https://access.redhat.com/errata/RHSA-2024:5638
- https://access.redhat.com/errata/RHSA-2024:5882
- https://access.redhat.com/errata/RHSA-2024:6159
- https://access.redhat.com/errata/RHSA-2024:6184
- https://bugzilla.redhat.com/show_bug.cgi?id=2300010
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/first-publish-date
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/weakness
- agent/last-modified-date
- agent/severity
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- agent/tags
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- agent/softwarecombine
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-40897
- package-manager/ubuntu
- vendor/gstreamer
- canonical/gstreamer orc
- package-manager/debian