GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution. References: https://gstreamer.freedesktop.org/security/sa-2019-0001.html Upstream MR: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/merge_requests/157
External References: https://gstreamer.freedesktop.org/security/sa-2019-0001.html
Created gstreamer-plugins-base tracking bugs for this issue: Affects: fedora-all [bug 1725261] Created mingw-gstreamer1-plugins-base tracking bugs for this issue: Affects: fedora-all [bug 1725262]
Upstream commit for this issue: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/f672277509705c4034bc92a141eefee4524d15aa?merge_request_iid=157
Statement: This issue affects the version of gstreamer-plugins-base and gstreamer1-plugins-base as shipped with Red Hat Enterprise Linux 6, 7 and 8. The security impact has been rated as Moderate by the Red Hat Product Security team. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
When parsing the session id field from a RTSP connection, gstreamer doesn't proper validate the session id length sent by the server. An attacker could leverage this by crafting a malicious server causing a heap-based overflow on the client, which may DoS or cause memory corruption leading the client-side to behave unexpectedly. The client may mitigate the security risk by avoiding connect to untrusted RTSP servers.