Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202208-31

Gentoo Linux Security Advisory 202208-31 - Multiple vulnerabilities have been found in GStreamer and its plugins, the worst of which could result in arbitrary code execution. Versions less than 1.16.3 are affected.

Packet Storm
#vulnerability#web#mac#linux

Gentoo Linux Security Advisory GLSA 202208-31


                                       https://security.gentoo.org/  

Severity: High
Title: GStreamer, GStreamer Plugins: Multiple Vulnerabilities
Date: August 14, 2022
Bugs: #766336, #785652, #785655, #785658, #785661, #835368, #843770, #765163
ID: 202208-31


Synopsis

Multiple vulnerabilities have been found in GStreamer and its plugins,
the worst of which could result in arbitrary code execution.

Background

GStreamer is an open source multimedia framework.

Affected packages

-------------------------------------------------------------------  
 Package              /     Vulnerable     /            Unaffected  
-------------------------------------------------------------------  

1 media-libs/gst-plugins-bad < 1.16.3 >= 1.16.3
2 media-libs/gst-plugins-base< 1.18.4 >= 1.18.4
3 media-libs/gst-plugins-good< 1.18.4 >= 1.18.4
4 media-libs/gst-plugins-ugly< 1.18.4 >= 1.18.4
5 media-libs/gstreamer < 1.20.2 >= 1.20.2
6 media-plugins/gst-plugins-libav< 1.18.4 >= 1.18.4

Description

Multiple vulnerabilities have been found in GStreamer and its plugins.
Please review the CVE and GStreamer-SA identifiers referenced below for
details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All GStreamer users should update to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=media-libs/gstreamer-1.20.2”

All gst-plugins-bad users should update to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-bad-1.20.2”

All gst-plugins-good users should update to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-good-1.20.2”

All gst-plugins-ugly users should update to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-ugly-1.20.2”

All gst-plugins-base users should update to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=media-libs/gst-plugins-base-1.20.2”

All gst-plugins-libav users should update to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=media-plugins/gst-plugins-libav-1.20.2”

References

[ 1 ] CVE-2021-3185
https://nvd.nist.gov/vuln/detail/CVE-2021-3185
[ 2 ] CVE-2021-3497
https://nvd.nist.gov/vuln/detail/CVE-2021-3497
[ 3 ] CVE-2021-3498
https://nvd.nist.gov/vuln/detail/CVE-2021-3498
[ 4 ] CVE-2021-3522
https://nvd.nist.gov/vuln/detail/CVE-2021-3522
[ 5 ] GStreamer-SA-2021-0001
[ 6 ] GStreamer-SA-2021-0002
[ 7 ] GStreamer-SA-2021-0004
[ 8 ] GStreamer-SA-2021-0005

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202208-31

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

Red Hat Security Advisory 2022-7618-01

Red Hat Security Advisory 2022-7618-01 - GStreamer is a streaming media framework based on graphs of filters that operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a use-after-free vulnerability.

RHSA-2022:7618: Red Hat Security Advisory: gstreamer1-plugins-good security update

An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3497: gstreamer-plugins-good: Use-after-free in matroska demuxing

CVE-2021-36338: DSA-2021-226: Dell EMC Unisphere for PowerMax, Dell EMC Unisphere for PowerMax vApp, Dell EMC Solutions Enabler vApp, Dell EMC Unisphere 360, Dell EMC VASA, and Dell EMC PowerMax EMB Mgmt Security Upd

Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.

CVE-2021-35576: Oracle Critical Patch Update Advisory - October 2021

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

CVE-2021-3498

GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.

CVE-2021-3185: Invalid Bug ID

A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution