SB2017020940 - Fedora 25 update for mingw-gstreamer1-plugins-good

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2016-10199)

The vulnerability allows a remote attacker to gain access to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the gst/isomp4/qtdemux.c function in gst-plugins-good file. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and crash the affected application.

2) Out-of-bounds read (CVE-ID: CVE-2017-5845)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag.

3) Out-of-bounds read (CVE-ID: CVE-2017-5840)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary error in the qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good. A remote attacker can create vectors involving the current stts index, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

4) Out-of-bounds read (CVE-ID: CVE-2017-5841)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary error in the gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good. A remote attacker can create vectors involving ncdt tags, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fc4026d15