[gentoo-announce] [ GLSA 201512-07 ] GStreamer: User-assisted execution of arbitrary code - gentoo-announce

From:	Yury German <blueknight@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201512-07 ] GStreamer: User-assisted execution of arbitrary code
Date:	Wed, 30 Dec 2015 11:48:21
Message-Id:	`5683C3C5.4080908@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201512-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: GStreamer: User-assisted execution of arbitrary code

9

     Date: December 30, 2015

10

     Bugs: #553742

11

       ID: 201512-07

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A buffer overflow in GStreamer could allow remote attackers to execute

19

arbitrary code or cause Denial of Service.

20

21

Background

22

==========

23

24

GStreamer is an open source multimedia framework.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  media-libs/gstreamer         < 1.4.5                    >= 1.4.5

33

34

Description

35

===========

36

37

A buffer overflow vulnerability has been found in the parsing of H.264

38

formatted video.

39

40

Impact

41

======

42

43

A remote attacker could entice a user to open a specially crafted H.264

44

formatted video using an application linked against GStreamer, possibly

45

resulting in execution of arbitrary code with the privileges of the

46

process or a Denial of Service condition.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All GStreamer users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=media-libs/gstreamer-1.4.5"

60

61

References

62

==========

63

64

[ 1 ] CVE-2015-0797

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0797

66

67

Availability

68

============

69

70

This GLSA and any updates to it are available for viewing at

71

the Gentoo Security Website:

72

73

 https://security.gentoo.org/glsa/201512-07

74

75

Concerns?

76

=========

77

78

Security is a primary focus of Gentoo Linux and ensuring the

79

confidentiality and security of our users' machines is of utmost

80

importance to us. Any security concerns should be addressed to

81

security@g.o or alternatively, you may file a bug at

82

https://bugs.gentoo.org.

83

84

License

85

=======

86

87

Copyright 2015 Gentoo Foundation, Inc; referenced text

88

belongs to its owner(s).

89

90

The contents of this document are licensed under the

91

Creative Commons - Attribution / Share Alike license.

92

93

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201512-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: GStreamer: User-assisted execution of arbitrary code
9	Date: December 30, 2015
10	Bugs: #553742
11	ID: 201512-07
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A buffer overflow in GStreamer could allow remote attackers to execute
19	arbitrary code or cause Denial of Service.
20
21	Background
22	==========
23
24	GStreamer is an open source multimedia framework.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 media-libs/gstreamer < 1.4.5 >= 1.4.5
33
34	Description
35	===========
36
37	A buffer overflow vulnerability has been found in the parsing of H.264
38	formatted video.
39
40	Impact
41	======
42
43	A remote attacker could entice a user to open a specially crafted H.264
44	formatted video using an application linked against GStreamer, possibly
45	resulting in execution of arbitrary code with the privileges of the
46	process or a Denial of Service condition.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All GStreamer users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=media-libs/gstreamer-1.4.5"
60
61	References
62	==========
63
64	[ 1 ] CVE-2015-0797
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0797
66
67	Availability
68	============
69
70	This GLSA and any updates to it are available for viewing at
71	the Gentoo Security Website:
72
73	https://security.gentoo.org/glsa/201512-07
74
75	Concerns?
76	=========
77
78	Security is a primary focus of Gentoo Linux and ensuring the
79	confidentiality and security of our users' machines is of utmost
80	importance to us. Any security concerns should be addressed to
81	security@g.o or alternatively, you may file a bug at
82	https://bugs.gentoo.org.
83
84	License
85	=======
86
87	Copyright 2015 Gentoo Foundation, Inc; referenced text
88	belongs to its owner(s).
89
90	The contents of this document are licensed under the
91	Creative Commons - Attribution / Share Alike license.
92
93	http://creativecommons.org/licenses/by-sa/2.5