Bug 2250247 (CVE-2023-44429, ZDI-CAN-22226)

Summary: CVE-2023-44429 gstreamer: AV1 codec parser heap-based buffer overflow
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gstreamer-plugins-bad-free 1.22.7 Doc Type: ---
Doc Text:
A heap-based buffer overflow vulnerability was found in GStreamer in the AV1 codec parser when handling certain malformed streams. A malicious third party could use this flaw to trigger a crash in the application and possibly affect code execution through heap manipulation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250248    
Bug Blocks: 2250251    

Description Mauro Matteo Cascella 2023-11-17 09:49:55 UTC 
Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.

References:
https://gstreamer.freedesktop.org/security/sa-2023-0009.html
https://www.zerodayinitiative.com/advisories/ZDI-CAN-22226

Upstream commit:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b76a801f57353b893c344025cac56413140fca6d
Comment 1 Mauro Matteo Cascella 2023-11-17 09:50:09 UTC 
Created gstreamer1-plugins-bad-free tracking bugs for this issue:

Affects: fedora-all [bug 2250248]
Comment 9 Sandipan Roy 2023-12-13 15:14:26 UTC 
Statement:

A malicious third party has the potential to induce a crash in the application and may also impact code execution by manipulating the heap. Additionally, this vulnerability could lead to unauthorized access and compromise the security of the system.

Red Hat Enterprise Linux 7 & 8 has gstreamer < 1.17 which does not have the av1 parser yet(does not have the vulnerable code), so RHEL-7 & RHEL-8 are not affected by this CVE.
Comment 10 errata-xmlrpc 2023-12-13 16:19:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7792 https://access.redhat.com/errata/RHSA-2023:7792
Comment 11 errata-xmlrpc 2023-12-13 16:24:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7791 https://access.redhat.com/errata/RHSA-2023:7791
Comment 12 errata-xmlrpc 2023-12-18 07:38:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7873 https://access.redhat.com/errata/RHSA-2023:7873