Bug 2254541 (CVE-2023-37329, GStreamer-SA-2023-0003, ZDI-CAN-20994)

Summary: CVE-2023-37329 gstreamer-plugins-bad: heap overwrite in PGS subtitle overlay decoder
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gst-plugins-bad 1.22.4, gst-plugins-bad 1.20.7 Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow vulnerability was found in the PGS Blu-ray subtitle decoder within GStreamer when processing specific files. This issue could allow a malicious third party to crash the application and execute code by manipulating the heap.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254683, 2254684    
Bug Blocks: 2254548    

Description TEJ RATHI 2023-12-14 12:18:44 UTC 
Heap-based buffer overflow in the PGS blu-ray subtitle decoder when handling certain files in GStreamer versions before 1.22.4 / 1.20.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.

https://gstreamer.freedesktop.org/security/sa-2023-0003.html
Comment 2 TEJ RATHI 2023-12-14 13:08:32 UTC 
Upstream Commits:

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896.patch
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5f3cf0a7d7ae7ab883d0611e85c06354f1e94907
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/60226124ec367c2549e4bf1e6174dfb8eca5a63d
Comment 3 Sandipan Roy 2023-12-15 05:45:21 UTC 
Created gstreamer1-plugins-bad-free tracking bugs for this issue:

Affects: fedora-all [bug 2254683]


Created mingw-gstreamer1-plugins-bad-free tracking bugs for this issue:

Affects: fedora-all [bug 2254684]
Comment 4 Yaakov Selkowitz 2023-12-15 06:35:36 UTC 
Please note that the dvdspu plugin has been stripped from our source packages due to legal constraints.  Therefore, nothing shipped by Red Hat or Fedora should have ever been affected.