Bug 1396645

Summary: vmncdec - integer overflow in the allocation of the render buffer (no CVE yet)
Product: [Fedora] Fedora Reporter: samoht0 <samoht0-bugzilla>
Component: gstreamer-plugins-bad-freeAssignee: Benjamin Otte <otte>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 24CC: bnocera, fabian.deutsch, otte, wtaymans
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-21 07:24:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description samoht0 2016-11-18 20:00:50 UTC 
Description of problem:

Security issue as described above and here:

https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html

Fixed with this commit:

https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe

See also:

https://bugzilla.gnome.org/show_bug.cgi?id=774533

Version-Release number of selected component (if applicable):

gstreamer1-plugins-bad-free-1.8.3-1.fc24

Comment:

Apart from the fact, that mentioned crash needs 3rd-party software being installed in Fedora (Google Chrome), it would also being triggered, if a prepared file gets into the Home folder other ways. That's why I've chosen to set severity to high.
Comment 1 Andrej Nemec 2016-11-21 07:24:46 UTC 

*** This bug has been marked as a duplicate of bug 1395768 ***