Headline
Gentoo Linux Security Advisory 202208-31
Gentoo Linux Security Advisory 202208-31 - Multiple vulnerabilities have been found in GStreamer and its plugins, the worst of which could result in arbitrary code execution. Versions less than 1.16.3 are affected.
Gentoo Linux Security Advisory GLSA 202208-31
https://security.gentoo.org/
Severity: High
Title: GStreamer, GStreamer Plugins: Multiple Vulnerabilities
Date: August 14, 2022
Bugs: #766336, #785652, #785655, #785658, #785661, #835368, #843770, #765163
ID: 202208-31
Synopsis
Multiple vulnerabilities have been found in GStreamer and its plugins,
the worst of which could result in arbitrary code execution.
Background
GStreamer is an open source multimedia framework.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-libs/gst-plugins-bad < 1.16.3 >= 1.16.3
2 media-libs/gst-plugins-base< 1.18.4 >= 1.18.4
3 media-libs/gst-plugins-good< 1.18.4 >= 1.18.4
4 media-libs/gst-plugins-ugly< 1.18.4 >= 1.18.4
5 media-libs/gstreamer < 1.20.2 >= 1.20.2
6 media-plugins/gst-plugins-libav< 1.18.4 >= 1.18.4
Description
Multiple vulnerabilities have been found in GStreamer and its plugins.
Please review the CVE and GStreamer-SA identifiers referenced below for
details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All GStreamer users should update to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=media-libs/gstreamer-1.20.2”
All gst-plugins-bad users should update to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-bad-1.20.2”
All gst-plugins-good users should update to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-good-1.20.2”
All gst-plugins-ugly users should update to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-ugly-1.20.2”
All gst-plugins-base users should update to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-base-1.20.2”
All gst-plugins-libav users should update to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=media-plugins/gst-plugins-libav-1.20.2”
References
[ 1 ] CVE-2021-3185
https://nvd.nist.gov/vuln/detail/CVE-2021-3185
[ 2 ] CVE-2021-3497
https://nvd.nist.gov/vuln/detail/CVE-2021-3497
[ 3 ] CVE-2021-3498
https://nvd.nist.gov/vuln/detail/CVE-2021-3498
[ 4 ] CVE-2021-3522
https://nvd.nist.gov/vuln/detail/CVE-2021-3522
[ 5 ] GStreamer-SA-2021-0001
[ 6 ] GStreamer-SA-2021-0002
[ 7 ] GStreamer-SA-2021-0004
[ 8 ] GStreamer-SA-2021-0005
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-31
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Red Hat Security Advisory 2022-7618-01 - GStreamer is a streaming media framework based on graphs of filters that operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a use-after-free vulnerability.
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3497: gstreamer-plugins-good: Use-after-free in matroska demuxing
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.
A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution.