Out-of-bounds read in gst-plugins-ugly1 (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-5846 |
| CWE-ID | CWE-125 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
gst-plugins-ugly1 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Out-of-bounds read
EUVDB-ID: #VU32097
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5846
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors related to the number of languages in a video file.
MitigationInstall update from vendor's website.
Vulnerable software versionsgst-plugins-ugly1 (Alpine package): 1.8.1-r1 - 1.8.1-r3
CPE2.3- cpe:2.3:a:alpine:gst-plugins-ugly1_alpine_package:1.8.1-r1:*:*:*:*:alpine_linux:*:3.3
- cpe:2.3:a:alpine:gst-plugins-ugly1_alpine_package:1.8.1-r3:*:*:*:*:alpine_linux:*:3.4
https://git.alpinelinux.org/aports/commit/?id=01c266e211afee4f4248e5ebb976b1be1e8d332b
https://git.alpinelinux.org/aports/commit/?id=73e74714f6cc4d04a6eba237aa0e5658c15c705a
https://git.alpinelinux.org/aports/commit/?id=b8a7d654872e2cbbcd72060ff253170be3c8f1ba
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
