Bug 2331760 (CVE-2024-47606)

Summary: CVE-2024-47606 gstreamer1-plugins-good: integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahughes, khosford, mbalaoal, neugens, pjindal, sraghupu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the MP4/MOV demuxer and memory allocator in the GStreamer library. Processing a specially crafted input file can cause an integer overflow in the qtdemux_parse_theora_extension function. This issue leads to a small amount of memory being allocated to store a large input size, resulting in an out-of-bounds write.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2331887, 2331888, 2331889, 2331890    
Bug Blocks:    

Description OSIDB Bzimport 2024-12-11 20:02:49 UTC 
GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.
Comment 2 errata-xmlrpc 2024-12-16 15:55:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:11122 https://access.redhat.com/errata/RHSA-2024:11122
Comment 3 errata-xmlrpc 2024-12-16 16:02:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:11119 https://access.redhat.com/errata/RHSA-2024:11119
Comment 4 errata-xmlrpc 2024-12-16 16:10:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:11121 https://access.redhat.com/errata/RHSA-2024:11121
Comment 5 errata-xmlrpc 2024-12-16 21:04:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:11148 https://access.redhat.com/errata/RHSA-2024:11148
Comment 6 errata-xmlrpc 2024-12-16 21:12:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:11149 https://access.redhat.com/errata/RHSA-2024:11149
Comment 7 errata-xmlrpc 2024-12-17 19:10:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:11298 https://access.redhat.com/errata/RHSA-2024:11298
Comment 8 errata-xmlrpc 2024-12-17 19:32:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:11299 https://access.redhat.com/errata/RHSA-2024:11299
Comment 9 errata-xmlrpc 2024-12-18 08:19:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:11344 https://access.redhat.com/errata/RHSA-2024:11344
Comment 10 errata-xmlrpc 2024-12-18 09:09:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:11346 https://access.redhat.com/errata/RHSA-2024:11346
Comment 11 errata-xmlrpc 2024-12-18 09:37:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:11348 https://access.redhat.com/errata/RHSA-2024:11348