Bug 1724904 (CVE-2019-9928)

Summary: CVE-2019-9928 GStreamer: heap-based buffer overflow in the RTSP connection parser via crafted server response leading to remote code execution
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, bdpepple, bnocera, caillon+fedoraproject, erik-fedora, gnome-sig, john.j5live, mbenatto, mclasen, otte, rh-spice-bugs, rhughes, rsahoo, rstrode, tuxator, uraeus, victortoso, wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gst-plugins-base 1.16.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1724906, 1724907, 1724908, 1724909, 1725230, 1725231, 1725232, 1725234, 1725261, 1725262, 1726420, 1726421, 1726422, 1726423    
Bug Blocks: 1724910    

Description msiddiqu 2019-06-28 04:11:48 UTC 
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.

References:   

https://gstreamer.freedesktop.org/security/sa-2019-0001.html

Upstream MR:

https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/merge_requests/157
Comment 2 Marco Benatto 2019-06-28 21:42:27 UTC 
External References:

https://gstreamer.freedesktop.org/security/sa-2019-0001.html
Comment 3 Marco Benatto 2019-06-28 21:42:43 UTC 
Created gstreamer-plugins-base tracking bugs for this issue:

Affects: fedora-all [bug 1725261]


Created mingw-gstreamer1-plugins-base tracking bugs for this issue:

Affects: fedora-all [bug 1725262]
Comment 4 Marco Benatto 2019-07-01 11:27:41 UTC 
Upstream commit for this issue:

https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/f672277509705c4034bc92a141eefee4524d15aa?merge_request_iid=157
Comment 10 Marco Benatto 2019-07-03 15:06:24 UTC 
Statement:

This issue affects the version of gstreamer-plugins-base and gstreamer1-plugins-base as shipped with Red Hat Enterprise Linux 6, 7 and 8. The security impact has been rated as Moderate by the Red Hat Product Security team.

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 12 Marco Benatto 2019-08-13 12:59:00 UTC 
When parsing the session id field from a RTSP connection, gstreamer doesn't proper validate the session id length sent by the server. An attacker could leverage this by crafting a malicious server causing a heap-based overflow on the client, which may DoS or cause memory corruption leading the client-side to behave unexpectedly. The client may mitigate the security risk by avoiding connect to untrusted RTSP servers.