Bug 1395767 – CVE-2016-9445 gstreamer-plugins-bad-free: Integer overflow when allocating render buffer in VMnc decoder

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1395767 - (CVE-2016-9445) CVE-2016-9445 gstreamer-plugins-bad-free: Integer overflow when allocating render buffer in VMnc decoder

Summary:	CVE-2016-9445 gstreamer-plugins-bad-free: Integer overflow when allocating re...

Status:	NEW

Aliases:	CVE-2016-9445

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20161115,repor...
Keywords:	Reopened, Security

Duplicates:	1396196 (view as bug list)
Depends On:	1395770 1395771 1395772 1395768 1395769 1399070 1400820 1400821 1400838 1400839 1400897 1400898 1400910
Blocks:	1395773
	Show dependency tree / graph

Reported:	2016-11-16 10:56 EST by Adam Mariš
Modified:	2018-07-18 11:06 EDT (History)
CC List:	24 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer's VMware VMnc video file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-28 03:38:46 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2974	normal	SHIPPED_LIVE	Important: gstreamer-plugins-bad-free security update	2016-12-21 12:13:11 EST
Red Hat Product Errata	RHSA-2017:0018	normal	SHIPPED_LIVE	Moderate: gstreamer-plugins-bad-free security update	2017-01-05 09:15:14 EST
Red Hat Product Errata	RHSA-2017:0021	normal	SHIPPED_LIVE	Moderate: gstreamer1-plugins-bad-free security update	2017-01-05 10:05:27 EST

Groups: None (edit)

Description Adam Mariš 2016-11-16 10:56:00 EST

An integer overflow vulnerability was found when allocating render buffer in vmnc decoder that results into heap buffer overflow.

External References:

https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html?m=1

Comment 1 Adam Mariš 2016-11-16 10:57:09 EST

Created mingw-gstreamer1 tracking bugs for this issue:

Affects: fedora-all [bug 1395771]
Affects: epel-7 [bug 1395772]

Comment 2 Adam Mariš 2016-11-16 10:57:29 EST

Created gstreamer tracking bugs for this issue:

Affects: fedora-all [bug 1395768]

Comment 3 Adam Mariš 2016-11-16 10:57:42 EST

Created mingw-gstreamer tracking bugs for this issue:

Affects: fedora-all [bug 1395770]

Comment 4 Adam Mariš 2016-11-16 10:57:54 EST

Created gstreamer1 tracking bugs for this issue:

Affects: fedora-all [bug 1395769]

Comment 5 Andrej Nemec 2016-11-21 02:48:28 EST

*** Bug 1396196 has been marked as a duplicate of this bug. ***

Comment 6 Adam Mariš 2016-11-21 05:47:39 EST

Upstream patch:

https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe

CVE assignment:

http://openwall.com/lists/oss-security/2016/11/18/13

Comment 7 Dhiru Kholia 2016-11-28 03:30:50 EST

Mitigation:

This mitigation is only required if vulnerable gstreamer-plugins-bad-free and/or gstreamer1-plugins-bad-free packages are installed.

For RHEL 7,

sudo rm /usr/lib*/gstreamer-1.0/libgstvmnc.so
sudo rm /usr/lib*/gstreamer-0.10/libgstvmnc.so

For RHEL 6,

sudo rm /usr/lib*/gstreamer-0.10/libgstvmnc.so

Please note that this mitigation deletes the vulnerable VMware NC decoder, which removes the functionality to play VMware movie files.

Comment 10 Dhiru Kholia 2016-11-28 03:46:30 EST

Created gstreamer1-plugins-bad-free tracking bugs for this issue:

Affects: fedora-all [bug 1399070]

Comment 11 Wim Taymans 2016-11-28 06:40:57 EST

Updates to gstreamer1-plugins-bad-free:

f24: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4004fe99e
f25: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a82e35272c

Comment 15 Dhiru Kholia 2016-12-02 04:37:38 EST

Created gstreamer-plugins-bad-free tracking bugs for this issue:

Affects: fedora-all [bug 1400910]

Comment 18 errata-xmlrpc 2016-12-21 07:13:37 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2974 https://rhn.redhat.com/errata/RHSA-2016-2974.html

Comment 19 errata-xmlrpc 2017-01-05 04:15:44 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0018 https://rhn.redhat.com/errata/RHSA-2017-0018.html

Comment 20 errata-xmlrpc 2017-01-05 05:05:46 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0021 https://rhn.redhat.com/errata/RHSA-2017-0021.html

Note You need to log in before you can comment on or make changes to this bug.

bdpepple
bmcclain
bnocera
cfergeau
dblechte
eedri
erik-fedora
gklein
jgrulich
lsurette
mgoldboi
michal.skrivanek
otte
rh-spice-bugs
ricardo.arguello
slawomir
srevivo
tuxator
uraeus
victortoso
wtaymans
ykaul
ylavi
zach