An update for gstreamer1-plugins-good is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2594 Final 1.0 1.0 2024-12-27 Initial 2024-12-27 2024-12-27 openEuler SA Tool V1.0 2024-12-27 gstreamer1-plugins-good security update An update for gstreamer1-plugins-good is now available for openEuler-20.03-LTS-SP4 GStreamer is a streaming media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related. Its plugin-based architecture means that new data types or processing capabilities can be added simply by installing new plugins. Security Fix(es): (CVE-2024-47537) (CVE-2024-47539) (CVE-2024-47540) (CVE-2024-47543) (CVE-2024-47544) (CVE-2024-47545) (CVE-2024-47546) (CVE-2024-47596) (CVE-2024-47597) (CVE-2024-47599) (CVE-2024-47601) (CVE-2024-47602) (CVE-2024-47603) (CVE-2024-47606) (CVE-2024-47613) (CVE-2024-47774) (CVE-2024-47775) (CVE-2024-47776) (CVE-2024-47777) (CVE-2024-47778) (CVE-2024-47834) An update for gstreamer1-plugins-good is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical gstreamer1-plugins-good https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47537 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47539 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47540 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47543 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47544 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47545 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47546 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47596 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47597 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47599 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47601 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47602 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47603 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47606 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47613 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47774 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47775 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47776 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47777 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47778 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-47834 https://nvd.nist.gov/vuln/detail/CVE-2024-47537 https://nvd.nist.gov/vuln/detail/CVE-2024-47539 https://nvd.nist.gov/vuln/detail/CVE-2024-47540 https://nvd.nist.gov/vuln/detail/CVE-2024-47543 https://nvd.nist.gov/vuln/detail/CVE-2024-47544 https://nvd.nist.gov/vuln/detail/CVE-2024-47545 https://nvd.nist.gov/vuln/detail/CVE-2024-47546 https://nvd.nist.gov/vuln/detail/CVE-2024-47596 https://nvd.nist.gov/vuln/detail/CVE-2024-47597 https://nvd.nist.gov/vuln/detail/CVE-2024-47599 https://nvd.nist.gov/vuln/detail/CVE-2024-47601 https://nvd.nist.gov/vuln/detail/CVE-2024-47602 https://nvd.nist.gov/vuln/detail/CVE-2024-47603 https://nvd.nist.gov/vuln/detail/CVE-2024-47606 https://nvd.nist.gov/vuln/detail/CVE-2024-47613 https://nvd.nist.gov/vuln/detail/CVE-2024-47774 https://nvd.nist.gov/vuln/detail/CVE-2024-47775 https://nvd.nist.gov/vuln/detail/CVE-2024-47776 https://nvd.nist.gov/vuln/detail/CVE-2024-47777 https://nvd.nist.gov/vuln/detail/CVE-2024-47778 https://nvd.nist.gov/vuln/detail/CVE-2024-47834 openEuler-20.03-LTS-SP4 gstreamer1-plugins-good-1.16.2-8.oe2003sp4.aarch64.rpm gstreamer1-plugins-good-debuginfo-1.16.2-8.oe2003sp4.aarch64.rpm gstreamer1-plugins-good-debugsource-1.16.2-8.oe2003sp4.aarch64.rpm gstreamer1-plugins-good-gtk-1.16.2-8.oe2003sp4.aarch64.rpm gstreamer1-plugins-good-1.16.2-8.oe2003sp4.src.rpm gstreamer1-plugins-good-1.16.2-8.oe2003sp4.x86_64.rpm gstreamer1-plugins-good-debuginfo-1.16.2-8.oe2003sp4.x86_64.rpm gstreamer1-plugins-good-debugsource-1.16.2-8.oe2003sp4.x86_64.rpm gstreamer1-plugins-good-gtk-1.16.2-8.oe2003sp4.x86_64.rpm gstreamer1-plugins-good-help-1.16.2-8.oe2003sp4.noarch.rpm GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47537 openEuler-20.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47539 openEuler-20.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47540 openEuler-20.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in qtdemux_parse_container function within qtdemux.c. In the parent function qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the pointer end to point beyond the boundaries of buffer. Subsequently, in the qtdemux_parse_container function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47543 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47544 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47545 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47546 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47596 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been detected in the function qtdemux_parse_samples within qtdemux.c. This issue arises when the function qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer. The following code snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing the provided GHSL-2024-245_crash1.mp4 file. This issue may lead to read up to 8 bytes out-of-bounds. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47597 openEuler-20.03-LTS-SP4 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47599 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47601 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47602 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_update_tracks function within matroska-demux.c. The vulnerability occurs when the gst_caps_is_equal function is called with invalid caps values. If this happen, then in the function gst_buffer_get_size the call to GST_BUFFER_MEM_PTR can return a null pointer. Attempting to dereference the size field of this null pointer results in a null pointer dereference. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47603 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47606 openEuler-20.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This vulnerability allows to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the GstAudioInfo info structure. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47613 openEuler-20.03-LTS-SP4 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47774 openEuler-20.03-LTS-SP4 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47775 openEuler-20.03-LTS-SP4 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in gst_wavparse_cue_chunk within gstwavparse.c. The vulnerability happens due to a discrepancy between the size of the data buffer and the size value provided to the function. This mismatch causes the comparison if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access beyond the bounds of the data buffer. The root cause of this discrepancy stems from a miscalculation when clipping the chunk size based on upstream data size. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47776 openEuler-20.03-LTS-SP4 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c. This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds. This vulnerability may result in reading 4 bytes out of the boundaries of the data buffer. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47777 openEuler-20.03-LTS-SP4 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in gst_wavparse_adtl_chunk within gstwavparse.c. This vulnerability arises due to insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a result, an OOB read occurs in the following while loop. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47778 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594 GStreamer is a library for constructing graphs of media-handling components. An Use-After-Free read vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams. In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk is allocated using gst_ebml_read_binary. Later, the allocated memory is freed in the gst_matroska_track_free function, by the call to g_free (track->codec_priv). Finally, the freed memory is accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be accessed in the gst_value_serialize_buffer function. This results in a UAF read vulnerability, as the function tries to process memory that has already been freed. This vulnerability is fixed in 1.24.10. 2024-12-27 CVE-2024-47834 openEuler-20.03-LTS-SP4 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H gstreamer1-plugins-good security update 2024-12-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2594