What is the severity of CVE-2024-47538?

CVE-2024-47538 has been classified as a critical vulnerability due to the potential for stack-buffer overflow.

How do I fix CVE-2024-47538?

To fix CVE-2024-47538, update the GStreamer library to version 1.24.10 or later, or to the specified patched versions in the affected software.

What software is affected by CVE-2024-47538?

CVE-2024-47538 affects GStreamer versions prior to 1.24.10 and specific versions of the gst-plugins-base1.0 package.

What is a stack-buffer overflow as related to CVE-2024-47538?

A stack-buffer overflow in CVE-2024-47538 occurs when the size of the position array exceeds its allocated stack size, posing a risk of code execution.

How can I determine if my system is vulnerable to CVE-2024-47538?

You can determine if your system is vulnerable to CVE-2024-47538 by checking the installed version of GStreamer and comparing it to the affected versions.

Vulnerability/
CVE-2024-47538

critical

9.8

CWE

121 119 787

11/12/2024

19/12/2024

CVE-2024-47538: GHSL-2024-115: GStreamer has a stack-buffer overflow in vorbis_handle_identification_packet

First published: Wed Dec 11 2024(Updated: )

GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
debian/gst-plugins-base1.0	<=1.18.4-2+deb11u2<=1.22.0-3+deb12u2	1.18.4-2+deb11u3 1.22.0-3+deb12u3 1.24.10-1
GStreamer	<1.24.10

Remedy

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8035.patch

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-47538?
CVE-2024-47538 has been classified as a critical vulnerability due to the potential for stack-buffer overflow.
How do I fix CVE-2024-47538?
To fix CVE-2024-47538, update the GStreamer library to version 1.24.10 or later, or to the specified patched versions in the affected software.
What software is affected by CVE-2024-47538?
CVE-2024-47538 affects GStreamer versions prior to 1.24.10 and specific versions of the gst-plugins-base1.0 package.
What is a stack-buffer overflow as related to CVE-2024-47538?
A stack-buffer overflow in CVE-2024-47538 occurs when the size of the position array exceeds its allocated stack size, posing a risk of code execution.
How can I determine if my system is vulnerable to CVE-2024-47538?
You can determine if your system is vulnerable to CVE-2024-47538 by checking the installed version of GStreamer and comparing it to the affected versions.

agent/title
agent/type
agent/first-publish-date
agent/severity
agent/weakness
agent/remedy
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2024-47538
agent/references
agent/trending
collector/usn-cve
source/Ubuntu
collector/security-tracker-debian
source/Debian
agent/software-canonical-lookup
agent/author
agent/description
agent/softwarecombine
agent/event
agent/source
agent/tags
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
collector/nvd-api
package-manager/debian
vendor/gstreamer project
canonical/gstreamer