Headline
Red Hat Security Advisory 2023-2260-01
Red Hat Security Advisory 2023-2260-01 - GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a buffer overflow vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: gstreamer1-plugins-good security update
Advisory ID: RHSA-2023:2260-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2260
Issue date: 2023-05-09
CVE Names: CVE-2022-1920 CVE-2022-1921 CVE-2022-1922
CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
CVE-2022-2122
====================================================================
- Summary:
An update for gstreamer1-plugins-good is now available for Red Hat
Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
GStreamer is a streaming media framework based on graphs of filters which
operate on media data. The gstreamer1-plugins-good packages contain a
collection of well-supported plug-ins of good quality and under the LGPL
license.
Security Fix(es):
gstreamer-plugins-good: Potential heap overwrite in
gst_matroska_demux_add_wvpk_header() (CVE-2022-1920)gstreamer-plugins-good: Heap-based buffer overflow in the avi demuxer
when handling certain AVI files (CVE-2022-1921)gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using
zlib decompression (CVE-2022-1922)gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using
bz2 decompression (CVE-2022-1923)gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using
lzo decompression (CVE-2022-1924)gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using
HEADERSTRIP decompression (CVE-2022-1925)gstreamer-plugins-good: Potential heap overwrite in mp4 demuxing using
zlib decompression (CVE-2022-2122)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.2 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2130935 - CVE-2022-1920 gstreamer-plugins-good: Potential heap overwrite in gst_matroska_demux_add_wvpk_header()
2130949 - CVE-2022-1921 gstreamer-plugins-good: Heap-based buffer overflow in the avi demuxer when handling certain AVI files
2130955 - CVE-2022-1922 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using zlib decompression
2130959 - CVE-2022-1923 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using bz2 decompression
2131003 - CVE-2022-1924 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using lzo decompression
2131007 - CVE-2022-1925 gstreamer-plugins-good: Potential heap overwrite in mkv demuxing using HEADERSTRIP decompression
2131018 - CVE-2022-2122 gstreamer-plugins-good: Potential heap overwrite in mp4 demuxing using zlib decompression
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
gstreamer1-plugins-good-1.18.4-6.el9.src.rpm
aarch64:
gstreamer1-plugins-good-1.18.4-6.el9.aarch64.rpm
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.aarch64.rpm
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.aarch64.rpm
gstreamer1-plugins-good-gtk-1.18.4-6.el9.aarch64.rpm
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.aarch64.rpm
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.aarch64.rpm
ppc64le:
gstreamer1-plugins-good-1.18.4-6.el9.ppc64le.rpm
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.ppc64le.rpm
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.ppc64le.rpm
gstreamer1-plugins-good-gtk-1.18.4-6.el9.ppc64le.rpm
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.ppc64le.rpm
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.ppc64le.rpm
s390x:
gstreamer1-plugins-good-1.18.4-6.el9.s390x.rpm
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.s390x.rpm
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.s390x.rpm
gstreamer1-plugins-good-gtk-1.18.4-6.el9.s390x.rpm
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.s390x.rpm
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.s390x.rpm
x86_64:
gstreamer1-plugins-good-1.18.4-6.el9.i686.rpm
gstreamer1-plugins-good-1.18.4-6.el9.x86_64.rpm
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.i686.rpm
gstreamer1-plugins-good-debuginfo-1.18.4-6.el9.x86_64.rpm
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.i686.rpm
gstreamer1-plugins-good-debugsource-1.18.4-6.el9.x86_64.rpm
gstreamer1-plugins-good-gtk-1.18.4-6.el9.i686.rpm
gstreamer1-plugins-good-gtk-1.18.4-6.el9.x86_64.rpm
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.i686.rpm
gstreamer1-plugins-good-gtk-debuginfo-1.18.4-6.el9.x86_64.rpm
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.i686.rpm
gstreamer1-plugins-good-qt-debuginfo-1.18.4-6.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1920
https://access.redhat.com/security/cve/CVE-2022-1921
https://access.redhat.com/security/cve/CVE-2022-1922
https://access.redhat.com/security/cve/CVE-2022-1923
https://access.redhat.com/security/cve/CVE-2022-1924
https://access.redhat.com/security/cve/CVE-2022-1925
https://access.redhat.com/security/cve/CVE-2022-2122
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZFo06dzjgjWX9erEAQhrwQ//Ux/jfIsdlOlcSYh49YQrv5mmRH639gQE
TVDDFz5x/9zRwuos1650/zyEs5SF3F9pBFgc8FeU9V2styVUuIYTgKtI3vYexa48
LfoWcFZhVHNq60onLmoH/1TJsIdPA5Lvdmk2kqMn0+dA77CD9EAviilfWkTDp27F
I1fTX0L0S8d7JZAscwMsrCefItv/5LG+tH2bN6ZokA21aV1RkLqaKylJdZj5+m2y
dSyelBeEidfQTxaj9CNZftOrQjDziyW6JFVfQna2sOuz7ejOMUkfy25ZH145M9Y6
0P7S71w+8FVk76AlrKE3qGyh0V13dfHTQpZW6cca4yzrKmoH2G4EDFHo0g9PrSwD
eKFRmnJ6VNkyc4lgQT7G5ME1PsNYlRsX5WAUKWzT8RaIcxIWDr96UhoeKC2gYiaW
wr/aOcBij0NZkdWN+9NbnXZqrwIRPTe8dOJpQpO9Nojsev4o7LZhWdS1z5C0xwsu
wdPIlMofZ8/x01z39b/CVPsmESk0kefw7w5rwj+9XO2QcXwZkrshpZM8tMjhrMlF
WyEOPPli2WpQfjco/jiMhV8cjKHSCHQSYPt67QZXtUFqD68P8AI1RhX9K7VhPVRo
gOTkEsGxwqp2uLiTvYc7kElDjbKD/6nd52MANo4TR4aO2sZsTylCNeQ7I2bROhE4
krFzi7LnE2s=IWWY
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202409-13 - Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution. Versions greater than or equal to 1.20.3 are affected.
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.
DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.
Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.