Secunia reported an integer overflow in gstreamer-plugins-good PNG decoding handler. If something uses gstreamer-plugins-good to decode a PNG image, it may be possible to execute arbitrary code as the user. The Debian bug report is here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531631
In the research we've done, neither totem or rhythmbox will use this plugin to parse PNG images. A PNG image can be displayed using this command: gst-launch filesrc location=/usr/share/pixmaps/apple-green.png ! decodebin ! ffmpegcolorspace ! freeze ! autovideosink
Created attachment 346576 [details] Upstream patch
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1123 https://rhn.redhat.com/errata/RHSA-2009-1123.html