SB2017020313 - Arch Linux update for gst-plugins-bad

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017020313

SB2017020313 - Arch Linux update for gst-plugins-bad

Published: February 3, 2017 Updated: May 3, 2017

Security Bulletin ID SB2017020313
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2017-5843)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf.


2) Out-of-bounds read (CVE-ID: CVE-2017-5848)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing.


Remediation

Install update from vendor's website.

References