Bug 2250247 (CVE-2023-44429, ZDI-CAN-22226) - CVE-2023-44429 gstreamer: AV1 codec parser heap-based buffer overflow
Summary: CVE-2023-44429 gstreamer: AV1 codec parser heap-based buffer overflow
Keywords:
Status: NEW
Alias: CVE-2023-44429, ZDI-CAN-22226
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2250248
Blocks: 2250251
TreeView+ depends on / blocked
 
Reported: 2023-11-17 09:49 UTC by Mauro Matteo Cascella
Modified: 2024-01-08 08:17 UTC (History)
0 users

Fixed In Version: gstreamer-plugins-bad-free 1.22.7
Doc Type: ---
Doc Text:
A heap-based buffer overflow vulnerability was found in GStreamer in the AV1 codec parser when handling certain malformed streams. A malicious third party could use this flaw to trigger a crash in the application and possibly affect code execution through heap manipulation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0075 0 None None None 2024-01-08 08:17:56 UTC
Red Hat Product Errata RHSA-2023:7791 0 None None None 2023-12-13 16:24:31 UTC
Red Hat Product Errata RHSA-2023:7792 0 None None None 2023-12-13 16:19:17 UTC
Red Hat Product Errata RHSA-2023:7873 0 None None None 2023-12-18 07:38:53 UTC

Description Mauro Matteo Cascella 2023-11-17 09:49:55 UTC 
Heap-based buffer overflow in the AV1 codec parser when handling certain malformed streams before GStreamer 1.22.7. It is possible for a malicious third party to trigger a crash in the application, and possibly also effect code execution through heap manipulation.

References:
https://gstreamer.freedesktop.org/security/sa-2023-0009.html
https://www.zerodayinitiative.com/advisories/ZDI-CAN-22226

Upstream commit:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b76a801f57353b893c344025cac56413140fca6d
Comment 1 Mauro Matteo Cascella 2023-11-17 09:50:09 UTC 
Created gstreamer1-plugins-bad-free tracking bugs for this issue:

Affects: fedora-all [bug 2250248]
Comment 9 Sandipan Roy 2023-12-13 15:14:26 UTC 
Statement:

A malicious third party has the potential to induce a crash in the application and may also impact code execution by manipulating the heap. Additionally, this vulnerability could lead to unauthorized access and compromise the security of the system.

Red Hat Enterprise Linux 7 & 8 has gstreamer < 1.17 which does not have the av1 parser yet(does not have the vulnerable code), so RHEL-7 & RHEL-8 are not affected by this CVE.
Comment 10 errata-xmlrpc 2023-12-13 16:19:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7792 https://access.redhat.com/errata/RHSA-2023:7792
Comment 11 errata-xmlrpc 2023-12-13 16:24:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7791 https://access.redhat.com/errata/RHSA-2023:7791
Comment 12 errata-xmlrpc 2023-12-18 07:38:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7873 https://access.redhat.com/errata/RHSA-2023:7873
Note You need to log in before you can comment on or make changes to this bug.